Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pcsecuritylab.com Browser Hijack


  • This topic is locked This topic is locked
8 replies to this topic

#1 Brewbud

Brewbud

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 27 December 2007 - 09:46 PM

First time posting here. Trying to fix a pc for a friend. Windows XP Pro ver 2002 SP1.

Have identified PCsecuritylab.com Hijack and others???

Ran Combofix and it helped but I assume there is more to it than just running combofix. Any help is appreciated.

Thanks,
Tab


combofix and hijackthis logs follow:


Combofix log:

ComboFix 07-12-21.4 - admin 2007-12-27 18:00:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.64 [GMT -8:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bon Bon\Desktop\searchus.exe
C:\Documents and Settings\Bon Bon\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Bon Bon\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Bon Bon\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Bon Bon\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Bon Bon\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\curity~1
C:\Program Files\curity~1\??curity\
C:\Program Files\curity~1\fast.exe
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\web buying\v1.8.6\webbuying.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\b122.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\egmulhxk.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\d?xplore.exe
C:\WINDOWS\system32\htaaw.dll
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wapiitr.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wl.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\xxyyyvu.dll
C:\WINDOWS\system32\yqvdrnv.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninst2.htm
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\unist1.htm
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\YWRtaW4\
C:\WINDOWS\YWRtaW4\\asappsrv.dll
C:\WINDOWS\YWRtaW4\\command.exe
C:\WINDOWS\YWRtaW4\command.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 18:09 . 2007-12-27 18:10 344,576 --a------ C:\WINDOWS\system32\mljgf.dll
2007-12-27 18:06 . 2007-12-27 18:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-12-27 17:02 . 2007-12-27 17:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 17:02 . 2007-12-27 17:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 15:55 . 2007-12-27 15:55 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-27 15:55 . 2007-12-27 15:55 196,679 --a------ C:\WINDOWS\system32\lwinkldq .exe
2007-12-27 15:55 . 2007-12-27 15:55 57,360 --a------ C:\WINDOWS\system32\kjdsrngn .exe
2007-12-27 15:39 . 2007-12-27 15:55 409,088 --a------ C:\WINDOWS\system32\kjdsrngn.exe
2007-12-27 15:39 . 2007-12-27 15:39 57,351 --a------ C:\WINDOWS\system32\dwdsrngt .exe
2007-12-27 15:38 . 2007-12-27 15:55 563,200 --a------ C:\WINDOWS\troy44 .exe
2007-12-27 15:38 . 2007-12-27 15:55 550,912 --a------ C:\WINDOWS\system32\lwinkldq .exe
2007-12-27 15:38 . 2007-12-27 18:09 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-27 15:38 . 2007-12-27 15:38 35,840 --a------ C:\WINDOWS\winshow .exe
2007-12-27 15:37 . 2007-12-27 18:09 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-27 12:43 . 2007-12-27 18:10 348,160 --a------ C:\WINDOWS\system32\mljgf.exe
2007-12-27 12:40 . 2007-12-27 12:42 <DIR> d-------- C:\Program Files\Spruce
2007-12-27 12:40 . 2007-12-27 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-27 12:40 . 2007-12-27 15:38 550,912 --a------ C:\WINDOWS\system32\lwinkldq.exe
2007-12-27 12:40 . 2007-12-27 12:40 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-27 12:39 . 2007-12-27 15:38 389,120 --a------ C:\WINDOWS\mrofinu77.exe.tmp
2007-12-27 12:38 . 2007-12-27 12:38 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-27 12:38 . 2007-12-27 12:38 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-27 12:38 . 2007-12-27 16:46 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-27 12:37 . 2007-12-27 12:37 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-27 12:37 . 2007-12-27 12:38 <DIR> d-------- C:\Temp\cEeer12
2007-12-27 12:37 . 2007-12-27 18:04 <DIR> d-------- C:\Temp
2007-12-19 14:05 . 2007-12-27 15:38 563,200 --a------ C:\WINDOWS\troy44.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 02:10 --------- d-----w C:\Program Files\QuickTime
2007-12-28 02:10 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-12-28 02:10 --------- d-----w C:\Program Files\iTunes
2007-12-28 02:00 --------- d-----w C:\Program Files\SymNetDrv
2007-12-28 00:59 145,408 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2007-12-28 00:58 504,832 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-28 00:58 463,872 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-28 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 00:53 --------- d-----w C:\Program Files\Resolution Switching Utility
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DF99BFF-6C58-4C90-AEBD-9833327A3195}]
2007-12-27 18:10 344576 --a------ C:\WINDOWS\System32\mljgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 13:45 C:\WINDOWS\system32\irprops.cpl]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2007-12-27 16:58]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-12-27 16:58]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-12-27 16:58]
"WUSB54GS"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2007-12-27 18:10]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [2007-12-27 18:10]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-27 16:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-27 16:58]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 02:41]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 13:57 86016]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\System32\mljgf.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\mljgf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-12-27 16:58 424960 --a------ c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\lwinkldq .exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd Daemon]
SKDAEMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2007-12-27 15:37 896512 --a------ C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSCREX]
2007-12-27 16:53 424448 --a------ C:\Program Files\Resolution Switching Utility\TPSCREX2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44]
2007-12-27 15:38 563200 --a------ C:\WINDOWS\troy44.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
2007-12-27 15:55 563200 --a------ C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
2007-12-27 15:55 212992 --a------ C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2007-12-27 15:54 380928 --a------ C:\IBMTools\Updater\ucstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
2007-12-27 15:38 35840 --a------ C:\WINDOWS\winshow .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B6-68-84-47-ZN}]
C:\windows\system32\kjdsrngn.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)

R1 pelmouse;Mouse Suite Driver;C:\WINDOWS\System32\DRIVERS\pelmouse.sys [2003-01-10 12:55]
R2 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe" []
S3 pelps2m;PS/2 Mouse Filter Driver;C:\WINDOWS\System32\DRIVERS\pelps2m.sys [2003-01-20 21:28]

*Newly Created Service* - ALG
*Newly Created Service* - GTNDIS5
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-08-23 01:15:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2007-08-23 01:15:09 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 18:10:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOWS\System32\mljgf.dll
.
Completion time: 2007-12-27 18:20:27 - machine was rebooted



Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:20 PM, on 12/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray .exe
C:\WINDOWS\System32\hkcmd .exe
C:\WINDOWS\System32\igfxtray .exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\dwwin.exe
C:\Documents and Settings\admin\Desktop\HiJackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\System32\mljgf.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WUSB54GS] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 4756 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:51 PM

Posted 28 December 2007 - 09:43 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
You've got a lot going on there.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Brewbud

Brewbud
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 28 December 2007 - 03:47 PM

Thanks Sam!

Ran SAS and ComboFix. Wow SAS found a lot of stuff. Odd when Combofix was running a Norton screen kept popping up trying to stop the ComboFix scripts. Odd because I had already disabled Norton in MSCONFIG because it did this the first time I ran ComboFix. Also a run dll error kept repeatedly popping up wkbcbhtr.dll in Windows/System32

SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/28/2007 at 11:04 AM

Application Version : 3.9.1008

Core Rules Database Version : 3369
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 00:36:19

Memory items scanned : 359
Memory threats detected : 4
Registry items scanned : 4297
Registry threats detected : 23
File items scanned : 36798
File threats detected : 144

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\MLJGF.DLL
C:\WINDOWS\SYSTEM32\MLJGF.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINST2.HTM.VIR

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\WKBCBHTR.DLL
C:\WINDOWS\SYSTEM32\WKBCBHTR.DLL
HKLM\Software\Classes\CLSID\{ddbab5bc-0d6f-4286-93af-bb09e8b44482}
HKCR\CLSID\{DDBAB5BC-0D6F-4286-93AF-BB09E8B44482}
HKCR\CLSID\{DDBAB5BC-0D6F-4286-93AF-BB09E8B44482}\InprocServer32
HKCR\CLSID\{DDBAB5BC-0D6F-4286-93AF-BB09E8B44482}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddbab5bc-0d6f-4286-93af-bb09e8b44482}

Adware.eZula
C:\WINDOWS\SYSTEM32\RRJAKHUN.EXE
C:\WINDOWS\SYSTEM32\RRJAKHUN.EXE
C:\WINDOWS\Prefetch\RRJAKHUN.EXE-2104F8A2.pf

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\GYJEMPCC.DLL
C:\WINDOWS\SYSTEM32\GYJEMPCC.DLL

Trojan.Downloader-ConHook
[load] C:\WINDOWS\SYSTEM32\MLJGF.EXE
C:\WINDOWS\SYSTEM32\MLJGF.EXE
[load] C:\WINDOWS\SYSTEM32\MLJGF.EXE
[load] C:\WINDOWS\SYSTEM32\MLJGF.EXE
[load] C:\WINDOWS\SYSTEM32\MLJGF.EXE
C:\WINDOWS\Prefetch\MLJGF.EXE-20AA40CC.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{BC4D26D5-3DFB-49F4-8327-DD46834FD862}
HKCR\CLSID\{BC4D26D5-3DFB-49F4-8327-DD46834FD862}
HKCR\CLSID\{BC4D26D5-3DFB-49F4-8327-DD46834FD862}\InprocServer32
HKCR\CLSID\{BC4D26D5-3DFB-49F4-8327-DD46834FD862}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{E168EC65-BDD6-4E70-BA3B-E4FE07505EA6}
HKCR\CLSID\{E168EC65-BDD6-4E70-BA3B-E4FE07505EA6}
HKCR\CLSID\{E168EC65-BDD6-4E70-BA3B-E4FE07505EA6}\InprocServer32
HKCR\CLSID\{E168EC65-BDD6-4E70-BA3B-E4FE07505EA6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC4D26D5-3DFB-49F4-8327-DD46834FD862}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E168EC65-BDD6-4E70-BA3B-E4FE07505EA6}

Trojan.Downloader-Gen/DDC
HKLM\System\ControlSet001\Services\DomainService
HKLM\System\CurrentControlSet\Services\DomainService
C:\DOCUMENTS AND SETTINGS\BON BON\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OBYIUPA4\GAMADRIL20071203[1]

Adware.Tracking Cookie
C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
C:\Documents and Settings\admin\Cookies\admin@stats.adbrite[2].txt
C:\Documents and Settings\admin\Cookies\admin@ads.monster[2].txt
C:\Documents and Settings\admin\Cookies\admin@counter.hitslink[1].txt
C:\Documents and Settings\admin\Cookies\admin@msnportal.112.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@a.findarticles[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ad.outerinfoads[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ad.yieldmanager[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adlegend[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adopt.euroclick[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adopt.specificclick[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adredired[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adrevolver[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adrevolver[3].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ads.addynamix[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ads.bridgetrack[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ads.glispa[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ads.pointroll[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adserver[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@adsrevenue[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@advertising[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@anad.tacoda[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@anat.tacoda[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@apmebf[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@arbitrack[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@atdmt[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@atwola[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@azjmp[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@bizrate[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@blockbuster.112.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@bluestreak[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@bs.serving-sys[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@burstnet[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@buycom.122.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@casalemedia[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@citi.bridgetrack[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@clicksor[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@collective-media[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@doubleclick[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@e2itg.pbteen[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ehg-shoes.hitbox[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ehg-uniontrib.hitbox[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@ehg.hitbox[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@fastclick[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@findarticles[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@hitbox[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@keywordmax[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@link.mercent[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@linksynergy[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@media.adrevolver[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@mediaplex[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@msnportal.112.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@nextag[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@overture[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@partner2profit[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@paypal.112.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@pbteen[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@pcs-banners.sun3.lightsurf[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@perf.overture[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@porn4brains[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@pt.crossmediaservices[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@questionmarket[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@quill.112.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@realmedia[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@revenue[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@revsci[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@roiservice[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@rotator.adjuggler[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@sales.liveperson[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@server.iad.liveperson[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@serving-sys[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@shoplocl.adbureau[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@snapfish.112.2o7[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@specificclick[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@statcounter[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@statse.webtrendslive[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@tacoda[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@thefind[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@traffic.buyservices[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@trafficmp[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@tribalfusion[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@windowsmedia[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@wjadserver[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@www.burstbeacon[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@www.clickmanage[2].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@www.windowsmedia[1].txt
C:\Documents and Settings\Bon Bon\Cookies\bon bon@zedo[2].txt
C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt
C:\Documents and Settings\LocalService\Cookies\system@track[1].txt
C:\Documents and Settings\LocalService\Cookies\system@zedo[1].txt

Trojan.WinBo32/Enhance
HKU\S-1-5-21-1474428744-98595493-460407161-1006\Software\System\sysuid

Adware.Web Buying
HKU\S-1-5-21-1474428744-98595493-460407161-1006\Software\WebBuying

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINUNINSTALLER.EXE.VIR

Trojan.NetMon/DNSChange
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007991.EXE

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.6\WBUNINST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.6\WEBBUYING.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP98\A0007882.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007995.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007996.EXE

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EGMULHXK.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0008056.DLL

Adware.ClickSpring
C:\qoobox\Quarantine\C\WINDOWS\system32\FNTS~1\DXPLOR~1.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HTAAW.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007971.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007997.EXE

Trojan.Unclassified/LPCYWINP
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LPCYWINP.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0008055.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAPIITR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNIST1.HTM.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP98\A0007881.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007965.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007968.EXE

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YQVDRNV.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\YWRTAW4\COMMAND.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007972.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007973.EXE

Adware.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ZXDNT3D.CFG.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0008007.CFG

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\YWRTAW4\ASAPPSRV.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP98\A0007880.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0008000.DLL

Adware.ZenoSearch-NVON
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP98\A0007868.EXE
C:\WINDOWS\SYSTEM32\DWDSRNGT .EXE
C:\WINDOWS\SYSTEM32\KJDSRNGN .EXE

Trojan.ZenoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP98\A0007870.EXE
C:\WINDOWS\SYSTEM32\LWINKLDQ .EXE

Trojan.Downloader-Gen/BundleBase
C:\WINDOWS\SYSTEM32\ARDCO02\ARDCO021099.EXE

Trojan.Downloader-Gen/TaLDrv
C:\WINDOWS\SYSTEM32\DJ2\AXEBMBRPL6.EXE


CF log:

ComboFix 07-12-21.4 - admin 2007-12-28 12:12:45.3 - NTFSx86
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mljgf.dll
.
---- Previous Run -------
.
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mljgf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE




((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 12:17 . 2007-12-28 12:17 319 --ahs---- C:\WINDOWS\system32\fgjlm.ini2
2007-12-28 10:21 . 2007-12-28 12:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-28 10:21 . 2007-12-28 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-28 10:21 . 2007-12-28 10:21 <DIR> d-------- C:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com
2007-12-28 10:20 . 2007-12-28 10:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-28 09:46 . 2007-12-28 10:15 1,031,199 --ahs---- C:\WINDOWS\system32\rthbcbkw.ini
2007-12-27 17:02 . 2007-12-27 17:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 17:02 . 2007-12-27 17:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 15:55 . 2007-12-27 15:55 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-27 15:39 . 2007-12-27 15:55 409,088 --a------ C:\WINDOWS\system32\kjdsrngn.exe
2007-12-27 15:38 . 2007-12-27 15:55 563,200 --a------ C:\WINDOWS\troy44 .exe
2007-12-27 15:38 . 2007-12-27 15:55 550,912 --a------ C:\WINDOWS\system32\lwinkldq .exe
2007-12-27 15:38 . 2007-12-28 12:17 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-27 15:38 . 2007-12-27 15:38 35,840 --a------ C:\WINDOWS\winshow .exe
2007-12-27 15:37 . 2007-12-28 12:17 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-27 12:40 . 2007-12-27 12:42 <DIR> d-------- C:\Program Files\Spruce
2007-12-27 12:40 . 2007-12-27 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-27 12:40 . 2007-12-27 15:38 550,912 --a------ C:\WINDOWS\system32\lwinkldq.exe
2007-12-27 12:40 . 2007-12-27 12:40 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-27 12:39 . 2007-12-27 15:38 389,120 --a------ C:\WINDOWS\mrofinu77.exe.tmp
2007-12-27 12:38 . 2007-12-27 12:38 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-27 12:38 . 2007-12-28 11:15 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-27 12:38 . 2007-12-27 16:46 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-27 12:37 . 2007-12-28 11:15 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-27 12:37 . 2007-12-27 12:38 <DIR> d-------- C:\Temp\cEeer12
2007-12-27 12:37 . 2007-12-27 18:04 <DIR> d-------- C:\Temp
2007-12-19 14:05 . 2007-12-27 15:38 563,200 --a------ C:\WINDOWS\troy44.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 20:17 --------- d-----w C:\Program Files\QuickTime
2007-12-28 20:17 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-12-28 20:17 --------- d-----w C:\Program Files\iTunes
2007-12-28 18:14 496,128 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2007-12-28 02:00 --------- d-----w C:\Program Files\SymNetDrv
2007-12-28 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 00:53 --------- d-----w C:\Program Files\Resolution Switching Utility
.

((((((((((((((((((((((((((((( snapshot@2007-12-27_18.10.53.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-28 00:57:56 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 20:11:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-28 00:57:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 20:11:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-28 00:57:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 20:11:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-28 00:58:28 463,872 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2007-12-28 20:07:36 463,872 ----a-w C:\WINDOWS\system32\hkcmd.exe
- 2007-12-28 00:58:26 504,832 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2007-12-28 20:07:35 504,832 ----a-w C:\WINDOWS\system32\igfxtray.exe
- 2007-12-28 00:58:50 348,160 ----a-w C:\WINDOWS\system32\mljgf.exe
+ 2007-12-28 20:17:47 3,584 ----a-w C:\WINDOWS\system32\mljgf.exe
- 2007-10-29 16:15:41 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-28 16:39:24 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 16:15:41 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-28 16:39:24 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-28 12:11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 13:45 C:\WINDOWS\system32\irprops.cpl]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2007-12-28 12:11]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-12-28 12:07]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-12-28 12:07]
"WUSB54GS"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2007-12-28 12:17]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [2007-12-28 12:17]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-28 12:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-28 12:13]
"988b68e8"="C:\WINDOWS\System32\wkbcbhtr.dll" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 13:57 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\System32\\mljgf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-12-27 16:58 424960 --a------ c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\lwinkldq .exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd Daemon]
SKDAEMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2007-12-27 15:37 896512 --a------ C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSCREX]
2007-12-27 16:53 424448 --a------ C:\Program Files\Resolution Switching Utility\TPSCREX2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44]
2007-12-27 15:38 563200 --a------ C:\WINDOWS\troy44.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
2007-12-27 15:55 563200 --a------ C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
2007-12-27 15:55 212992 --a------ C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2007-12-27 15:54 380928 --a------ C:\IBMTools\Updater\ucstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
2007-12-27 15:38 35840 --a------ C:\WINDOWS\winshow .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B6-68-84-47-ZN}]
C:\windows\system32\kjdsrngn.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-08-23 01:15:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2007-08-23 01:15:09 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 12:17:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOWS\System32\mljgf.dll
.
Completion time: 2007-12-28 12:20:16 - machine was rebooted [admin]
C:\ComboFix2.txt ... 2007-12-27 18:20

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:51 PM

Posted 29 December 2007 - 12:13 AM

Please download this tool and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Double click to run it.
Please post the log it produces in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Brewbud

Brewbud
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 02 January 2008 - 08:05 PM

Here ya go Sam.

Ran on Wed 01/02/2008 - 17:00:09.65

----a-w			32,768 2007-12-27 23:38:06  C:\IBMTOOLS\Updater\ucstartup .exe
----a-w			40,048 2008-01-03 00:37:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w			98,304 2008-01-03 00:37:38  C:\Program Files\Analog Devices\SoundMAX\SMTray .exe
----a-w		 2,321,600 2008-01-02 16:32:42  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w			70,816 2007-12-28 00:58:41  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   536,576 2007-12-27 23:54:36  C:\Program Files\IBM\Messages By IBM\ibmmessages .exe
----a-w		   271,672 2008-01-03 00:37:40  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			24,576 2008-01-03 00:37:38  C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3 .exe
----a-w		 1,511,453 2007-12-28 02:01:36  C:\Program Files\Messenger\msmsgs .exe
----a-w		   286,720 2008-01-03 00:37:38  C:\Program Files\QuickTime\QTTask		.exe
----a-w		   662,016 2008-01-03 00:37:29  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   317,440 2007-12-28 20:17:43  C:\Program Files\QuickTime\QTTask	  .exe
----a-w		   662,016 2007-12-28 20:13:49  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   662,016 2007-12-28 20:07:40  C:\Program Files\QuickTime\QTTask	.exe
----a-w		   662,016 2007-12-28 02:10:13  C:\Program Files\QuickTime\QTTask   .exe
----a-w		   662,016 2007-12-28 00:58:38  C:\Program Files\QuickTime\QTTask  .exe
----a-w		   662,016 2007-12-28 00:53:47  C:\Program Files\QuickTime\QTTask .exe
----a-w			70,144 2007-12-27 23:54:47  C:\Program Files\Resolution Switching Utility\TPSCREX2 .exe
----a-w		 1,318,912 2008-01-03 00:37:42  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		 1,622,016 2007-12-28 00:53:46  C:\Program Files\Support.com\Bin\tgcmd .exe
----a-w			95,960 2007-12-28 00:58:48  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w		   212,992 2007-12-27 23:55:12  C:\WINDOWS\troy44  .exe
----a-w		   563,200 2007-12-27 23:55:07  C:\WINDOWS\troy44 .exe
----a-w			35,840 2007-12-27 23:38:30  C:\WINDOWS\winshow .exe
----a-w		   496,128 2007-12-28 18:14:04  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w		   114,688 2008-01-03 00:37:38  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-01-03 00:37:38  C:\WINDOWS\system32\igfxtray .exe
----a-w		   550,912 2007-12-27 23:55:07  C:\WINDOWS\system32\lwinkldq .exe

 Entries:			   28  (28)
 Directories:			0  Files:			28
 Bytes:		 14,720,509  Blocks:	   28,755


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:51 PM

Posted 03 January 2008 - 10:06 AM

New strategy since your last post. Delete the copy of combofix.exe that you have now.
Download the updated version.



Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Brewbud

Brewbud
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 08 January 2008 - 04:51 PM

Hi Sam,

Came back to check the response and I don't see the last combofix I thought I posted. Probably shut down my PC without it post. A Friday Oops I guess.

Here is the latest log.

Thanks,
Tab

ComboFix 08-01-04.1 - admin 2008-01-04 13:59:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.89 [GMT -8:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\IBMTOOLS\Updater\ucstartup.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Resolution Switching Utility\TPSCREX2.exe
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.info
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Support.com\Bin\tgcmd.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\lwinkldq .exe
C:\WINDOWS\system32\lwinkldq.exe
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgf.exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\troy44.exe

<pre>
"C:\IBMTOOLS\Updater\ucstartup .exe" replaces infected copy of "C:\IBMTOOLS\Updater\ucstartup.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe" replaces infected copy of "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"C:\Program Files\Analog Devices\SoundMAX\SMTray .exe" replaces infected copy of "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe"
"C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe" replaces infected copy of "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
"C:\Program Files\Common Files\Symantec Shared\ccApp .exe" replaces infected copy of "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"C:\Program Files\IBM\Messages By IBM\ibmmessages .exe" replaces infected copy of "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe"
"C:\Program Files\iTunes\iTunesHelper .exe" replaces infected copy of "C:\Program Files\iTunes\iTunesHelper.exe"
"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3 .exe" replaces infected copy of "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe"
"C:\Program Files\Messenger\msmsgs .exe" replaces infected copy of "C:\Program Files\Messenger\msmsgs.exe"
"C:\Program Files\Resolution Switching Utility\TPSCREX2 .exe" replaces infected copy of "C:\Program Files\Resolution Switching Utility\TPSCREX2.exe"
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe" replaces infected copy of "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
"C:\Program Files\Support.com\Bin\tgcmd .exe" replaces infected copy of "C:\Program Files\Support.com\Bin\tgcmd.exe"
"C:\WINDOWS\troy44  .exe" replaces infected copy of "C:\WINDOWS\troy44.exe"
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxtray .exe" replaces infected copy of "C:\WINDOWS\system32\igfxtray.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 13:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-28 10:21 . 2008-01-04 14:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-28 10:21 . 2007-12-28 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-28 10:21 . 2007-12-28 10:21 <DIR> d-------- C:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com
2007-12-28 10:20 . 2007-12-28 10:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-28 09:46 . 2007-12-28 10:15 1,031,199 --ahs---- C:\WINDOWS\system32\rthbcbkw.ini
2007-12-27 17:02 . 2007-12-27 17:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 17:02 . 2007-12-27 17:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 15:55 . 2007-12-27 15:55 212,992 --a------ C:\WINDOWS\troy44.exe
2007-12-27 15:39 . 2007-12-27 15:55 409,088 --a------ C:\WINDOWS\system32\kjdsrngn.exe
2007-12-27 15:38 . 2008-01-04 13:55 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-27 15:38 . 2007-12-27 15:38 35,840 --a------ C:\WINDOWS\winshow .exe
2007-12-27 15:37 . 2008-01-04 13:55 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-27 12:40 . 2007-12-27 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-27 12:40 . 2007-12-27 12:40 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-27 12:39 . 2007-12-27 15:38 389,120 --a------ C:\WINDOWS\mrofinu77.exe.tmp
2007-12-27 12:38 . 2007-12-27 12:38 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-27 12:38 . 2007-12-28 11:15 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-27 12:38 . 2007-12-27 16:46 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-27 12:37 . 2007-12-28 11:15 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-27 12:37 . 2007-12-27 12:38 <DIR> d-------- C:\Temp\cEeer12
2007-12-27 12:37 . 2007-12-27 18:04 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 22:02 --------- d-----w C:\Program Files\Resolution Switching Utility
2008-01-04 22:02 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-01-04 22:02 --------- d-----w C:\Program Files\iTunes
2008-01-04 22:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-04 22:01 --------- d-----w C:\Program Files\QuickTime
2007-12-28 02:00 --------- d-----w C:\Program Files\SymNetDrv
.
<pre>
----a-w			95,960 2007-12-28 00:58:48  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w			35,840 2007-12-27 23:38:30  C:\WINDOWS\winshow .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2007-12-27_18.10.53.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 18:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 16:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-12-28 00:57:56 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-04 16:28:35 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-28 00:57:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-04 16:28:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-28 00:57:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-04 16:28:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-28 02:00:08 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
+ 2008-01-04 21:59:48 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
- 2007-10-29 16:15:41 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-28 16:39:24 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 16:15:41 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-28 16:39:24 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-12-14 05:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 16:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-04 13:55 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 13:45 111104 C:\WINDOWS\system32\irprops.cpl]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2008-01-04 13:55 98304]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-04 13:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-04 13:55 114688]
"WUSB54GS"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2008-01-04 13:55 24576]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-04 13:55 271672]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-04 13:55 40048]
"988b68e8"="C:\WINDOWS\System32\wkbcbhtr.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 13:57 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-12-27 16:58 70816 --a------ c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\lwinkldq .exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd Daemon]
SKDAEMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2007-12-27 15:54 536576 --a------ C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSCREX]
2007-12-27 15:54 70144 --a------ C:\Program Files\Resolution Switching Utility\TPSCREX2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44]
2007-12-27 15:55 212992 --a------ C:\WINDOWS\troy44.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2007-12-27 15:38 32768 --a------ C:\IBMTools\Updater\ucstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
2007-12-27 15:38 35840 --a------ C:\WINDOWS\winshow .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B6-68-84-47-ZN}]
C:\windows\system32\kjdsrngn.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

R1 pelmouse;Mouse Suite Driver;C:\WINDOWS\System32\DRIVERS\pelmouse.sys [2003-01-10 12:55]
R2 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe" []
S3 pelps2m;PS/2 Mouse Filter Driver;C:\WINDOWS\System32\DRIVERS\pelps2m.sys [2003-01-20 21:28]

.
Contents of the 'Scheduled Tasks' folder
"2007-08-23 01:15:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2007-08-23 01:15:09 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 14:04:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 14:05:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 22:05:46
ComboFix2.txt 2007-12-28 20:20:16
ComboFix3.txt 2007-12-28 02:20:27

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:51 PM

Posted 08 January 2008 - 05:26 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\to9
C:\WINDOWS\system32\dj2
C:\WINDOWS\system32\bbc9
C:\WINDOWS\system32\ardCo02
C:\Temp\cEeer12

File::
C:\WINDOWS\mrofinu77.exe.tmp
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\winshow .exe
C:\WINDOWS\system32\kjdsrngn.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\system32\rthbcbkw.ini

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"988b68e8"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B6-68-84-47-ZN}]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:51 PM

Posted 31 January 2008 - 05:04 PM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users