Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer (vundo) Infected Computer


  • Please log in to reply
11 replies to this topic

#1 sagar

sagar

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 08 January 2008 - 09:49 AM

Hi there,

I keep getting an error on startup its a popup box with ssqpm.exe and says "Access to the specified device, path or file is denied" on clicking ok it comes up with another message "Could not load or run ssqpm.exe specified in the directory. Make sure it exists on your computer or remove the reference to it in the registry". Before i tried all the anti-virus's and spyware on your site the error was for jkklm.exe and teh same as above error message. The jkklm.exe error does not come up now.

Also my computer would just not let me install a firewall tried spigate and comodo but could not load up!

Also Hijack this could nto complete the scan as it found some error and said a log file has been saved. Below is the log file. Please help i have been on this for 2 days now. Need to sort out this computer and my other one. I guess one at a time. So no firewall and not sure if its a completed log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:48 PM, on 8/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.apcstart.com
F3 - REG:win.ini: load=C:\WINNT\system32\ssqpm.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINNT\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177227770203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199801855625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6805 bytes

BC AdBot (Login to Remove)

 


m

#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:58 AM

Posted 11 January 2008 - 03:51 PM

Hello sagar and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 sagar

sagar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 11 January 2008 - 11:35 PM

Here is the latest Hijackthis log. I managed to run it this time. I am still getting the pop up whenever i log in. But the ads seem to have dissappeared.

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:59 PM, on 12/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.apcstart.com
F3 - REG:win.ini: load=C:\WINNT\system32\ssqpm.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15047F22-A25F-4EF0-8CEB-5F63CD0CAE12} - C:\WINNT\system32\jkhff.dll (file missing)
O2 - BHO: (no name) - {1ACA34ED-0982-4966-8B35-69125195A7D1} - C:\WINNT\system32\jkklm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9F157D03-3DCC-4B4E-87CE-35F464BD3C3D} - C:\WINNT\system32\mljjiij.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {BDBBD698-A75F-485F-9502-2538019A4BB5} - C:\WINNT\system32\mljgf.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINNT\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177227770203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199801855625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7783 bytes

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:58 AM

Posted 12 January 2008 - 12:11 PM

Hey sagar.

Thanks for posting a fresh log.

Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Step #1

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:If you do decide to install a third party firewall, make sure that the windows firewall is not running and if it is, deactivate it. A tutorial on how to do it, can be found here.

Step #2

While Spybot's TeaTimer is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Step #3

Run HijackThis, press Scan, and put a check mark next to all these entries:

F3 - REG:win.ini: load=C:\WINNT\system32\ssqpm.exe
O2 - BHO: (no name) - {15047F22-A25F-4EF0-8CEB-5F63CD0CAE12} - C:\WINNT\system32\jkhff.dll (file missing)
O2 - BHO: (no name) - {1ACA34ED-0982-4966-8B35-69125195A7D1} - C:\WINNT\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {9F157D03-3DCC-4B4E-87CE-35F464BD3C3D} - C:\WINNT\system32\mljjiij.dll (file missing)
O2 - BHO: (no name) - {BDBBD698-A75F-485F-9502-2538019A4BB5} - C:\WINNT\system32\mljgf.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)


Close all other windows and browsers, and press the Fix Checked button.

Step #4

Please download ComboFix from here and save it to your Desktop (For information regarding this download, please visit this webpage).
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.)
  • Close any open browsers
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log in your next reply together with a new HijackThis log
Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Step #5

Please post back with the ComboFix log and a fresh HijackThis log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 sagar

sagar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 13 January 2008 - 05:23 PM

I did all the above. The screen pop up is now gone at startup. I installed Outpost and it was working fine. However when i ran combofix, which ran ok and made a log for me. i lost internet access on my computer. I am posting this from another computer and cant post the log for combofix as its on my other computer. The computer does not spot my gateway, keeps saying gateway not found. Removed the firewall but still same response. Any ideas what might have happened or would u need the combofix log to check it?

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:58 AM

Posted 14 January 2008 - 12:39 AM

Hey sagar,

you may want to try this: http://www.bleepingcomputer.com/combofix/how-to-use-combofix#restore to restore the Internet connection. Should you have any further questions, plase let me know.

Please do provide the ComboFix and HijackThis log for further analysis and cleaning of your pc. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 sagar

sagar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 14 January 2008 - 09:28 PM

I looked at the link above and right clicked my network icon on the bottom right of my screen. It just has disable and status, there is no repair option!!! I am on Win2000. Also i just realised by reading some of the other posts on this site that combofix has to be run with the internet disconnected. I ran it with the internet connected! Do you reckon this might be the problem? I have copied the combofix log for you below and done a new hijackthis log for you to look at as well (had to burn onto CD and copy here as i dont have a floppy drive or a USB Stick, but thats ok. I still cant connect to the internet on my normal PC am using this ancient one to communicate with you. The normal PC tries to communicate with my modem but does not detect it hence there is no communication back from the modem. It just keeps sending packets but does not receive any. Am stressed as you might expect as i use my normal computer for work and am going through a lot of CD's to transfer data across that i get in emails. At the moment i have uninstalled the firewall. Please let me know if you want me to re-install it. It kept on asking me whether it can access every single site i wanted to access (is this normal?)

Combofix Log
***********

ComboFix 08-01-13.1 - Compaq Evo 13/01/2008 17:40:57.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.270 [GMT 8:00]
Running from: C:\Documents and Settings\Compaq Evo\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\mcrh.tmp
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 17:47 . 08-01-13 17:47 49 --a------ C:\WINNT\transp.gif
2008-01-13 17:40 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-13 17:01 . 08-01-13 17:01 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared
2008-01-13 17:01 . 08-01-13 17:01 <DIR> d-------- C:\Program Files\Agnitum
2008-01-10 21:24 . 08-01-10 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sage Software SB, Inc
2008-01-09 13:02 . 08-01-09 13:02 <DIR> d-------- C:\Documents and Settings\Compaq Evo\Application Data\Interact Commerce
2008-01-09 12:21 . 08-01-09 12:26 <DIR> d-------- C:\Program Files\InterActual
2008-01-09 10:45 . 08-01-09 10:45 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-01-09 10:45 . 08-01-09 10:45 <DIR> d-------- C:\Program Files\AVSMedia
2008-01-09 10:45 . 03-05-21 23:50 1,700,352 --a------ C:\WINNT\system32\GdiPlus.dll
2008-01-09 10:12 . 08-01-09 10:12 <DIR> d-------- C:\Program Files\Cucusoft
2008-01-09 10:12 . 04-10-12 14:40 2,255,360 --a------ C:\WINNT\system32\libavcodec.dll
2008-01-09 10:12 . 04-10-12 14:46 1,761,280 --a------ C:\WINNT\system32\ffdshow.ax
2008-01-09 10:12 . 04-10-05 16:16 395,776 --a------ C:\WINNT\system32\libmplayer.dll
2008-01-09 10:12 . 04-10-12 14:42 262,144 --a------ C:\WINNT\system32\TomsMoComp_ff.dll
2008-01-09 10:12 . 03-04-03 00:17 172,032 --a------ C:\WINNT\system32\ac3filter.ax
2008-01-09 10:12 . 04-10-04 01:50 112,640 --a------ C:\WINNT\system32\libmpeg2_ff.dll
2008-01-09 10:12 . 04-09-10 13:50 34,820 --a------ C:\WINNT\system32\ffdshow.reg
2008-01-09 09:59 . 08-01-09 09:59 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-01-09 09:28 . 08-01-09 09:28 <DIR> d-------- C:\Program Files\VideoReDoPlus
2008-01-09 09:28 . 08-01-09 10:12 <DIR> d-------- C:\Documents and Settings\Compaq Evo\Application Data\VideoReDoPlus
2008-01-09 08:14 . 07-07-30 19:19 271,224 --a------ C:\WINNT\system32\mucltui.dll
2008-01-09 08:14 . 07-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2008-01-08 23:34 . 08-01-08 23:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 23:10 . 08-01-08 23:27 <DIR> d-------- C:\Program Files\Comodo
2008-01-08 22:54 . 08-01-08 22:54 3,584 --a------ C:\WINNT\system32\ssqpm.exe
2008-01-08 22:50 . 08-01-12 00:04 644,612 ---h----- C:\WINNT\ShellIconCache
2008-01-08 22:48 . 08-01-08 22:48 <DIR> d-------- C:\Program Files\Sygate
2008-01-08 22:48 . 04-10-15 18:32 14,568 --a------ C:\WINNT\system32\drivers\wg6n.sys
2008-01-08 22:48 . 04-10-15 18:32 14,568 --a------ C:\WINNT\system32\drivers\wg5n.sys
2008-01-08 22:48 . 04-10-15 18:32 14,568 --a------ C:\WINNT\system32\drivers\wg4n.sys
2008-01-08 21:06 . 08-01-09 12:13 319 --ahs---- C:\WINNT\system32\mpqss.ini
2008-01-08 18:02 . 08-01-08 19:00 <DIR> d-------- C:\WINNT\BDOSCAN8
2008-01-08 15:08 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-01-08 15:04 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\srfgodhknnwy.sys
2008-01-08 14:51 . 08-01-08 16:05 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-01-08 14:51 . 08-01-08 14:51 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-01-08 14:51 . 08-01-08 14:51 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-01-08 14:51 . 08-01-08 14:51 1,406 --a------ C:\WINNT\system32\Help.ico
2008-01-08 13:33 . 08-01-08 14:23 <DIR> d-------- C:\Documents and Settings\Compaq Evo\.housecall6.6
2008-01-08 12:41 . 08-01-08 13:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 10:58 . 08-01-08 23:40 <DIR> d-------- C:\VundoFix Backups
2008-01-06 22:19 . 08-01-06 22:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 22:19 . 08-01-06 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-06 22:18 . 08-01-06 22:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 22:05 . 08-01-06 22:05 <DIR> d--h----- C:\WINNT\PIF
2008-01-05 22:31 . 08-01-05 22:31 <DIR> d-------- C:\Program Files\Mpeg2Decoder
2008-01-05 22:28 . 08-01-09 10:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 22:28 . 08-01-05 22:28 356,352 --a------ C:\WINNT\eSellerateEngine.dll
2008-01-05 22:28 . 04-12-07 10:11 258,352 --a------ C:\WINNT\system32\Unicows.dll
2008-01-05 22:20 . 08-01-05 23:21 69 --a------ C:\WINNT\NeroDigital.ini
2008-01-05 22:01 . 08-01-05 22:01 <DIR> d-------- C:\Program Files\Nero
2008-01-05 22:00 . 02-12-11 18:50 301,712 --a------ C:\WINNT\system32\drmclien.dll
2008-01-05 22:00 . 02-12-11 18:50 301,712 --a--c--- C:\WINNT\system32\dllcache\drmclien.dll
2008-01-05 22:00 . 02-12-11 17:34 82,432 --a------ C:\WINNT\system32\drmstor.dll
2008-01-05 22:00 . 02-12-11 17:34 82,432 --a--c--- C:\WINNT\system32\dllcache\drmstor.dll
2008-01-05 22:00 . 02-12-11 17:34 9,728 --a--c--- C:\WINNT\system32\dllcache\npwmsdrm.dll
2008-01-04 21:09 . 08-01-04 21:09 <DIR> d-------- C:\Program Files\HmelyoffLabs
2008-01-04 07:20 . 08-01-04 07:20 <DIR> d-------- C:\Documents and Settings\Compaq Evo\Application Data\Ahead
2008-01-03 16:00 . 08-01-06 15:10 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-03 16:00 . 08-01-03 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-03 15:44 . 08-01-06 21:36 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-03 15:06 . 03-06-19 12:05 138,288 --a------ C:\WINNT\system32\drivers\usbport.sys
2008-01-03 15:06 . 03-06-19 12:05 49,776 --a------ C:\WINNT\system32\drivers\usbhub20.sys
2008-01-03 15:06 . 03-06-19 12:05 40,752 --a------ C:\WINNT\system32\drivers\1394bus.sys
2008-01-03 15:06 . 03-06-19 12:05 37,680 --a------ C:\WINNT\system32\drivers\ohci1394.sys
2008-01-03 15:06 . 03-06-19 12:05 19,728 --a------ C:\WINNT\system32\drivers\usbehci.sys
2007-12-23 20:30 . 07-12-23 20:30 <DIR> d-------- C:\Documents and Settings\Compaq Evo\Application Data\Recordpad
2007-12-23 20:30 . 07-12-23 20:59 <DIR> d-------- C:\Documents and Settings\Compaq Evo\Application Data\NCH Swift Sound
2007-12-23 20:30 . 07-12-23 20:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-23 20:30 . 07-12-23 20:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\NCH Software
2007-12-23 20:27 . 07-12-24 07:06 <DIR> d-------- C:\Program Files\NCH Software
2007-12-23 17:52 . 99-12-02 15:30 258,320 --a------ C:\WINNT\system32\msh263.drv
2007-12-23 17:52 . 03-06-19 12:05 51,472 --a------ C:\WINNT\system32\vfwwdm32.dll
2007-12-23 17:52 . 03-06-19 12:05 51,472 --a--c--- C:\WINNT\system32\dllcache\vfwwdm32.dll
2007-12-23 17:52 . 99-11-30 23:39 45,840 --a------ C:\WINNT\system32\iyuv_32.dll
2007-12-23 17:52 . 99-11-30 23:39 45,840 --a--c--- C:\WINNT\system32\dllcache\iyuv_32.dll
2007-12-23 17:52 . 99-12-02 15:30 19,728 --a------ C:\WINNT\system32\dshowext.ax
2007-12-23 17:52 . 99-12-02 15:30 19,728 --a--c--- C:\WINNT\system32\dllcache\dshowext.ax
2007-12-23 17:52 . 99-11-30 23:39 12,560 --a------ C:\WINNT\system32\tsbyuv.dll
2007-12-23 17:52 . 99-11-30 23:39 12,560 --a--c--- C:\WINNT\system32\dllcache\tsbyuv.dll
2007-12-22 22:07 . 99-12-02 15:31 10,000 --a--c--- C:\WINNT\system32\dllcache\ksvpintf.ax
2007-12-22 22:07 . 99-12-02 15:30 7,952 --a--c--- C:\WINNT\system32\dllcache\ksinterf.ax
2007-12-22 22:07 . 99-12-02 15:31 7,440 --a--c--- C:\WINNT\system32\dllcache\ksclockf.ax
2007-12-22 22:07 . 99-12-02 15:30 6,928 --a--c--- C:\WINNT\system32\dllcache\ksdata.ax
2007-12-22 22:07 . 99-11-30 23:39 4,880 --a--c--- C:\WINNT\system32\dllcache\ksuser.dll
2007-12-22 22:05 . 08-01-09 10:20 <DIR> d-------- C:\Program Files\honestech VHS to DVD 3.0 Deluxe
2007-12-22 22:04 . 07-12-22 22:04 <DIR> d-------- C:\Documents and Settings\Compaq Evo\Application Data\InstallShield
2007-12-22 22:03 . 99-10-12 15:57 68,912 --a------ C:\WINNT\system32\drivers\USBAUDIO.sys
2007-12-16 22:17 . 07-12-16 22:17 <DIR> d-------- C:\Program Files\TVAnts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 09:36 --------- d-----w C:\Documents and Settings\Compaq Evo\Application Data\AVG7
2008-01-11 15:03 --------- d-----w C:\Program Files\VPos
2008-01-09 11:16 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-09 05:17 --------- d-----w C:\Program Files\ACT
2008-01-09 02:40 --------- d-----w C:\Program Files\Google
2008-01-07 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 10:11 --------- d-----w C:\Program Files\MSN Messenger
2007-12-22 14:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 04:34 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-08 14:32 --------- d-----w C:\Program Files\TVUPlayer
2007-12-08 14:32 --------- d-----w C:\Documents and Settings\Compaq Evo\Application Data\TVU Networks
2007-12-08 14:31 58,000 ----a-w C:\WINNT\system32\drivers\cdr4_2K.sys
2007-12-08 14:31 57,344 ----a-w C:\WINNT\uneng.exe
2007-12-08 14:31 23,420 ----a-w C:\WINNT\system32\drivers\cdralw2k.sys
2007-12-08 14:31 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2007-11-24 14:46 --------- d-----w C:\Program Files\SopCast
2007-10-25 02:26 53,248 ----a-w C:\WINNT\bdoscandel.exe
2007-04-22 04:55 271 ---h--w C:\Program Files\desktop.ini
2007-04-22 04:55 21,952 ---h--w C:\Program Files\folder.htt
2007-07-31 03:12 88 --sh--r C:\WINNT\system32\2625E66CD9.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 20:00 20752 C:\WINNT\system32\internat.exe]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 20:00 111376 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [06-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [06-10-22 12:22 1622016 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [06-10-22 12:22 86016]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [ ]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ]
"Samsung PanelMgr"="C:\WINNT\Samsung\PanelMgr\ssmmgr.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [06-03-30 10:51 91648]
"OutpostFeedBack"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe" [06-05-11 12:05 356420]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 20:00 20752 C:\WINNT\system32\internat.exe]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [07-10-23 09:54 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 20:00 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-22 15:19:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [07-04-22 15:30 ]
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [06-03-30 10:53 ]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [06-03-30 10:53 ]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ARP.DLL [06-03-30 10:53 ]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [06-03-30 10:53 ]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [06-03-30 10:53 ]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [06-03-30 10:53 ]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [06-03-30 10:53 ]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [06-03-30 10:53 ]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [06-03-30 10:53 ]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [06-03-30 10:53 ]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [06-03-30 10:53 ]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [06-03-30 10:53 ]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [06-03-30 10:53 ]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\SECRET.DLL [06-03-30 10:53 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
S2 MSSQL$ACT7;SQL Server (ACT7);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [07-02-10 05:29 ]
S2 SSPORT;SSPORT;C:\WINNT\system32\Drivers\SSPORT.sys []

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 17:49:16
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 17:53:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 09:53:09
.
2008-01-09 11:20:51 --- E O F ---

New Hijackthis Log 15/1/2008
************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:36 AM, on 15/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.apcstart.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINNT\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177227770203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199801855625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6821 bytes

Hope this info helps!!

Hoping to hear from you soon.

Sagar

#8 sagar

sagar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 16 January 2008 - 07:04 AM

I managed to get the Internet running again.

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:58 AM

Posted 17 January 2008 - 01:36 PM

Hey sagar,

regarding your internet connection, I am checking now for other possibilities. Please hang in there.

Step #1
  • Please go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Select the download that's appropriate for your Operating System (click the below images to enlarge them)

    Posted Image
  • Download the file & save it as it's originally named, next to ComboFix.exe.

    Posted Image
  • Now close all open windows and programs, then drag the setup package into ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until we have reviewed the log.

Step #2

Please post back with the CF_RC.txt. Thanks.

Edited by Yourhighness, 17 January 2008 - 01:36 PM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 sagar

sagar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 January 2008 - 04:53 PM

Hi,

I have already fixed the internet connection. Went to the microsoft site and they had a recovery solution to the internet connection not working. So now i have that working. So if the above is to do with the internet connection then we dont need to do that. To be honest i am scared to run combofix again as last time it created alot of hell for me. But will run it if i have to.

Was the above to do with the interner connection or making sure my comp is clean?

Sagar

#11 sagar

sagar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 January 2008 - 04:55 PM

Also the web link above has downloads for XP i have win 2000

#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:58 AM

Posted 19 January 2008 - 02:11 AM

Hey sagar,

apologies. I forgot about the windows 2000 thing. The above links are not to do with your Internet connection problems, but with your recovery console.

Please try these instructions instead and tell me if it worked: http://kb.wisc.edu/helpdesk/page.php?id=914

As for your comment regarding combofix. We will most likely have to use it sooner or later, but you will only run it with my guidance. ComboFix's Disclaimer clearly reads that this should only be done in this manner, as you can break a lot when using it improperly.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users