Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Scan Results


  • Please log in to reply
15 replies to this topic

#1 Prplxd

Prplxd

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 18 January 2008 - 09:14 AM

I have 2 yellow triangular shield-like shapes with the exclaimation marks appearing on my start menu beside the time display. One is just the symbol itself and the other is attached to what looks like the "local are connection" image. Below are my Hijack This scanning results:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:54 AM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\atievxx.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\lxcycoms.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MyContentAssistant] C:\Program Files\MyContentAssistant\GDC.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINNT\system32\lxcycoms.exe

--
End of file - 7309 bytes

BC AdBot (Login to Remove)

 


#2 Prplxd

Prplxd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 19 January 2008 - 02:19 AM

I would like to install SP2 but am first needing to eliminate any suspected viruses. I've copied my Hijackthis Log results again should anything have changed since the first post yesterday morning. Is there anything I should be concerned about?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:07 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINNT\system32\atievxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\lxcycoms.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MyContentAssistant] C:\Program Files\MyContentAssistant\GDC.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINNT\system32\lxcycoms.exe

--
End of file - 7162 bytes

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:01 PM

Posted 02 February 2008 - 02:45 PM

Hello Prplxd,

Sorry for the late reply, but as you can see we handle more than our fair share of logs. If you still have problems please post a fresh HijackThis log and we can begin the cleaning process.

Regards,
SNOWHITE
Posted Image

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:01 PM

Posted 10 February 2008 - 05:59 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:01 PM

Posted 13 February 2008 - 11:08 PM

Topic reopened per user request. :thumbsup:
SNOWHITE
Posted Image

#6 Prplxd

Prplxd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 14 February 2008 - 08:53 AM

The only problems I'm now experiencing is an unusally long wait for it to complete loading during reboot process (could be memory) and I'm a bit concerned over a bubble-popping sound effect that happens atleast once after rebooting. Another thing I don't understand, is if my laptop is turned off, the power on/off button will not turn it back on unless it is unplugged (a short?).

Here is my most current Hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:39 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINNT\system32\atievxx.exe
C:\WINNT\system32\lxcycoms.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MyContentAssistant] C:\Program Files\MyContentAssistant\GDC.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINNT\system32\lxcycoms.exe

--
End of file - 7187 bytes

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:01 PM

Posted 19 February 2008 - 12:25 AM

Hello Prplxd and sorry for the delay, I didn't get notice that you have replied to your thread.

There is a backdoor trojan detected on your system - Trojan.Abwiz.F . This gives hackers full access to everything stored on the computer!

I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorized transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

If you decide to try cleaning your computer, please follow the steps below:

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Step #2

A guide and tutorial on using ComboFix can be found at the following link http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
In your next post please include the following reports:
  • SDFix report
  • ComboFix report
  • New HijackThis log (run after ComboFix has finished its work.)
Let me know how the things will go.

Regards,
SNOWHITE
Posted Image

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:01 PM

Posted 05 March 2008 - 11:34 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:01 PM

Posted 06 March 2008 - 03:05 AM

Topic reopened per user request. :thumbsup:
SNOWHITE
Posted Image

#10 Prplxd

Prplxd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 12 March 2008 - 11:22 AM

Okay, I've downloaded and run the SDFix in Safe Mode. Here now are my Hijackthis and Report results.

Hijackthis Scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:50 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atievxx.exe
C:\WINNT\system32\lxcycoms.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MyContentAssistant] C:\Program Files\MyContentAssistant\GDC.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINNT\system32\lxcycoms.exe

--
End of file - 7076 bytes


Report:


SDFix: Version 1.156

Run by newuser on Wed 03/12/2008 at 09:43 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\SYSTEM32\PFB0E0~1.DLL - Deleted
C:\WINNT\SYSTEM32\PFCA7F~1.DLL - Deleted
C:\WINNT\SYSTEM32\SFXZMT~1.DLL - Deleted
C:\WINNT\SYSTEM32\SFXZMT~4.DLL - Deleted
C:\WINNT\SYSTEM32\AOSMX.DLL - Deleted
C:\WINNT\SYSTEM32\GTALSMX.DLL - Deleted
C:\WINNT\SYSTEM32\SMTSMX~1.DLL - Deleted
C:\WINNT\SYSTEM32\SPMSMT~1.DLL - Deleted
C:\WINNT\SYSTEM32\YMSGSMX.DLL - Deleted
C:\Documents and Settings\newuser\Application Data\installer_en[1].exe - Deleted
C:\WINNT\system32\drivers\hosts - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 10:05:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomerCAVF7U6W.jpg 39704 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomerCAWWUMD6.jpg 17544 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomerCAZVNW6A.jpg 19824 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[10].jpg 25836 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[11].jpg 43371 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[1].jpg 25523 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[2].jpg 23095 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[3].jpg 24595 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[4].jpg 17463 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[5].jpg 36385 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[6].jpg 27001 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[7].jpg 38325 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[8].jpg 30685 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zoomer[9].jpg 29998 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zs[1].gif 69 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\_;ord=1196757499180962[1].htm 4374 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\main001[1].css 1373 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\main[1].css 27254 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\main[1].swf 370440 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\marcopolothumbpic[1].jpg 1961 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\marketplace[1].gif 237 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\mediadetail[1].htm 28589 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\mediahitcounter[1].ashx 0 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\mediahitcounter[2].ashx 0 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\RockSmall[1].jpg 69520 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\rsnip_style[1].css 1659 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\rss[1].xml 1567 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\rss_feed[1].gif 471 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\rss_proxy[1].htm 18541 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s50504918_30494061_3221[1].jpg 3001 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s50504918_30605398_424[1].jpg 4222 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\Saved[1].gif 162 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\header_mq2[1].gif 15769 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\heart0[1].png 674 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\hellogoodbye[1].jpg 54714 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\hodanisse[1].htm 31194 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\HolidayGuide_300x250[2].swf 45889 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\HolidayGuide_728x90[1].swf 47816 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\Holiday_Kickoff_728x90_001[1].jpg 55483 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\homeFixed[2].css 5915 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\homepage_header[1].gif 31042 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\homepage_signin[1].gif 54 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\clr[1].gif 43 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\codeblack_brand[1].gif 2969 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\commonPrint[1].css 5289 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\common[1].js 3735 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_5c61e2da8606412a6f6f7b28ec24f585[1].jpg 3832 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_6245763d0fc159c7bfaab595983b2eca[1].jpg 6182 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_633024910dc842640ea6cbad0cd8a470[2].jpg 5143 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_69aa4ad4f1c9269032d3ffae436d67a7[1].jpg 6768 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_7454a03fd4d77e42c41845bbda3ab248[1].jpg 3074 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_74e86fa78d62c56a1620ad68a040f31d[1].jpg 4504 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[10].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[11].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[1].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[2].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[3].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[4].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[5].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[6].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[7].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[8].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l[9].swf 715 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l_07c1fbce4662ed5fad5ff1b5368fd7d4[1].jpg 50549 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l_144bc7f0c040a39c93adeb67d970fca0[1].jpg 21085 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l_1670934ca081249a16ee07ee69487350[1].jpg 28555 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l_20de42effa62ebe5a7c3a1e3bd5c189b[1].jpg 23755 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l_25d1e649f65061422dc76cfc1e70a0f3[1].jpg 30120 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\l_291888d0139f98c167561c46e1842d17[1].jpg 34297 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_9d47bd52fb23fe15b551b96615e77dc1[1].jpg 6765 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_a55759422062c8dc17cdf5780a97e9d8[1].jpg 2521 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_af43572568342233786a63b156af4529[1].jpg 6903 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_b202d65d53640d3e3464500f00767dfd[1].jpg 5183 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_bd4f4d621a3e4e92e9c174a7070e2c3e[1].jpg 3969 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_bf81c6c9ad22d716430385508edd44ce[1].jpg 4044 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_c294a8795a1d42d3f92004b6e33d7376[1].jpg 6903 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_c6dd5526e109721f79c6bbddc012ff3b[1].jpg 4177 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_c6fc1d8cb6f68a85e8e885c88f4123db[1].jpg 7850 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\nose_wink0[1].png 567 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\number3[1].gif 1299 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\number4[1].gif 1304 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\update[1] 167522 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\update[2] 2491 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\update[3] 6795 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\update[4] 1867 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\update[5] 6847 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\update[6] 8394 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\update[7] 3825 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\upload_progress[1].gif 291 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\up[1].gif 887 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\urchin001[1].js 19472 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCALRYACF.jpg 2013 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAM6DYVE.jpg 3386 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAMF5PQO.jpg 3645 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAMQL16L.jpg 3084 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAN5EJRG.jpg 3892 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCANIYFA6.jpg 3565 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCANYV200.jpg 3707 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\events[1].gif 161 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default;sz=728x90;!c=;kvid=mSjc1mMiuEk;kpu=dorkenstein629;ko=u;kpid=;kr=H;u=mSjc1mMiuEk%7C%7C9928DCD66322B849;tile=1;dcopt=ist;ord=8245875559019778[2] 147 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA0PY9CG.jpg 3746 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\pic_home_mobile_30x37[1].gif 411 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\pic_subsbox_top_555x7[1].png 338 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\PID_414212_main160[1].swf 6938 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\PID_417720_Parent[1].swf 6836 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\pig1[1].png 8482 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAZHYTIY.jpg 4040 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAZMBFO0.jpg 3398 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAZX9UKK.jpg 4519 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[10].jpg 3725 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[11].jpg 3946 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[1].jpg 5168 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[2].jpg 1867 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[3].jpg 3527 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[4].jpg 2529 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[5].jpg 2287 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[6].jpg 3444 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[7].jpg 2963 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[8].jpg 4706 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\default[9].jpg 2046 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\y2mdr2ncwosxeoh4dklkrbwfv5[1].jpg 72049 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\y;src=998766;met=1;v=1;pid=22457440;aid=161910917;ko=0;cid=23739906;rid=23757759;rv=1;&timestamp=1196843626380;eid1=2;ecn1=0;etm1=48;eid2=3;ecn2=0;etm2=1;[1].gif 43 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\yahoo[1].gif 1195 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\yelLuvlyWkndSweetieAnim[1].gif 135032 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\yobaby[1].gif 130521 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\youRock22[1].gif 23617 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\zazzle_lamegift_cake_728x90_red[1].swf 44546 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_cf53109a7bf0f74658a184c2feb0b819[1].jpg 2311 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_de067c5b96e283fd5c7ca81f29d43583[1].jpg 3496 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_ea4290c3c0c811cbe2edc3896d8a09dd[1].jpg 6273 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_f6856279edb4e64a294a8e672da3b18c[1].jpg 2904 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[2].ico 1406 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[3].ico 1406 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[4].ico 1406 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[5].ico 1150 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[6].ico 1150 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[7].ico 1406 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[8].ico 586 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[9].ico 318 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\featured_ashanti[1].jpg 3854 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\FeatureProfileBanner-Final[1].gif 26942 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\figure-fact-button-bigapplehistory[1].gif 1286 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\figure-fact-left[1].gif 290 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\fixed_pies_yahoo_for0[1].swf 44844 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\watch_all_yts1196370305[1].js 82902 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\watch_queue_yts1194313762[1].js 12486 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\wddx[1].js 15235 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\weblicense[1].gif 3091 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\WebResourceCAHLFF6V.axd 20931 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\tabswelcome[1] 12290 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\tab_icon[1] 4540 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\tcgen01_hlt_olb-asian-women-laptop[1].gif 11916 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\tc_controller[1].js 831 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\tc_throttle[3].js 1899 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCASYYT61.jpg 4575 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAUGHXDS.jpg 3354 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAUP9CL7.jpg 3547 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAURTLOV.jpg 2910 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAUVMC15.jpg 2758 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAUXDXF6.jpg 3382 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAVBFIPJ.jpg 3206 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAGPEOR3.jpg 3941 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAHJ7IV0.jpg 3356 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCAHMZAA8.jpg 2410 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\E9E8E3_stone_corner_top_L[1].gif 114 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\equal_tongue1[1].png 7609 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\favicon[1].ico 1406 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\flash_ad_relay[1].swf 420 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\frown2[1].png 6904 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\icon_help_standard[1].gif 120 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\indexCATV6Q7G.htm 57760 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\index[4].htm 77274 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\ComposeBtn[1].png 29281 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\Compose[1].htm 37217 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\configuration_baseline[1].js 2857 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\contacttable_myspace[1].gif 7520 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\contact_blockuser[1].gif 426 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\container[1].swf 16304 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\contextual_shortcuts_3.0.2[1].css 19178 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\cool1[1].png 7377 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\socialmap[1].css 1758 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\solb_arrow_over[1].gif 192 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\sound[1].gif 171 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_0592451ccfa0bd2583f3eea5e413d4cc[1].jpg 8787 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\m_1d8a9dc4e37d10b088c1df83abaf867a[2].jpg 6765 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\dref=http%253A%252F%252Fhome.myspace.com%252Findex[1].cfm%253Ffuseaction%253Duser 748 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\dref=http%253A%252F%252Fhome.myspace.com%252Findex[5].cfm%253Ffuseaction%253Duser 1298 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\dref=http%253A%252F%252Fs235.photobucket[1].com%252Falbums%252Fee315%252Fhodanisse%252F 410 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\ds_logo[1].jpg 24820 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\DVCFY07_Tequila_Booth_300x250[1].swf 29279 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\E9E8E3_stone_corner_btm_L[1].gif 125 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\religionspirituality_religion;sz=300x250;kr=H;kgender=m;kage=26;kw=Deedat;tile=1;dcopt=ist;ord=3965010035538465[1] 250 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\result_list[1].css 1727 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\retireearlysmall[1].jpg 1066 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\retireearly[1].jpg 8108 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\ribbon[1].jpg 38637 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\prototypeV1.5.1[1].js 96046 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\PWMCA5J0L2BCAD2AXSUCAD3DM2JCAKECBLBCATT3TT8CA3JBRJDCAVL3SVLCAMZ8E0HCA7IU32JCA3IPL8UCAUCUQHTCA8VCY7WCAF1ET3BCATBQLUPCA3GYY4RCARKCSYNCAS6ATB1CAQM5QXDCARTOYR3.htm 2 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s[1].htm 2 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s[2].htm 2 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_009bc3836f8644208fe284d4d79669e1[1].jpg 2755 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_01ff80ec22fe4497bdfaef140f75668c[1].jpg 1631 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_03733f6db805620c3411c467f3508648[1].jpg 3576 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_0592451ccfa0bd2583f3eea5e413d4cc[1].jpg 3246 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_0869291a9f056fd35ae96791b8bea693[1].jpg 2130 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_08cf8832959550546ac0fee1a9d73b30[1].jpg 2493 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_0ee296d60cbaf4cbf7ffed0cb0337ac8[1].jpg 3555 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\s_0eec88bfab8866ef20dbda8905ed1544[1].jpg 5010 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\kissstar2[1].png 2017 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\kit1009[1].js 1713 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\kit1009[2].js 1713 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\landingPageActionFrame[1].css 4516 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\layout_left[1].htm 0 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA4SFNNT.jpg 4466 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA4V0DTV.jpg 2468 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA4WZNAY.jpg 4042 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA51MZNQ.jpg 3394 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA59F43B.jpg 3873 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA5GAGQD.jpg 5633 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA67BA3Y.jpg 2394 bytes
C:\Documents and Settings\newuser\Local Settings\Temporary Internet Files\Content.IE5\YK9M1380\defaultCA8CDXM3.jpg 3507 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 222


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINNT\\system32\\cmd32.exe"="C:\\WINNT\\system32\\cmd32.exe:*:Enabled:enable"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINNT\\system32\\lxcycoms.exe"="C:\\WINNT\\system32\\lxcycoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 28 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 14 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:01 PM

Posted 13 March 2008 - 11:51 PM

Hi and welcome,

Your helper SNOWHITE will be away for a while so I will be taking over helping you get cleaned up.

I will reply shortly with further instructions as it will take me some time to go over what has been done so far and what is left to do.

Thanks for your patience.

blender :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:01 PM

Posted 14 March 2008 - 01:13 AM

Hello again,

If you ran Combofix please post the following log:

C:\Combofix.txt

If you did not --- no worries. Carry on with below please.

A few things left to fix up.

You have a fake security program installed (MyContentAssistant)
Info:
http://research.sunbelt-software.com/threa...threatid=153460

Please go to add/remove programs and Uninstall MyContentAssistant

Reboot when done.

Next:

Please download ATF Cleaner by Atribune.
  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    Recycle bin
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next:

I don't see an anitivirus program installed.
Today's internet is simply suicide without an up to date antivirus.

Please download ONE of the following antivirus programs and install it.

Avast:
http://www.avast.com/eng/avast_4_home.html
Tutorial:
http://www.bleepingcomputer.com/tutorials/how-to-use-avast-antivirus/

AVG:
http://free.grisoft.com/doc/1

AntiVir:
http://www.free-av.com/antivirus/allinonen.html

Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
Reboot if it fixed anything.

Please post a fresh hijackthis log here and let me know how the system is running.
There will be more work to do so -- no running away yet :blink:

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 Prplxd

Prplxd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 17 March 2008 - 08:05 AM

Much thanks for working with me through this.

I've failed in my attempt to track down the MyContentAssitant in Add/Remove Programs. But I have run the ATF Cleaner and below are the latest results of my HiJackThis Scan:

bLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:40 AM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\savedump.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\atievxx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\lxcycoms.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINNT\system32\fxssvc.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Support.com\bin\jobcheck.exe
C:\Program Files\Support.com\bin\tgshell.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MyContentAssistant] C:\Program Files\MyContentAssistant\GDC.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINNT\system32\lxcycoms.exe

--
End of file - 7329 bytes

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:01 PM

Posted 17 March 2008 - 08:02 PM

Hi,

Copy the following text to a new notepad file.

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINNT\\system32\\cmd32.exe"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MyContentAssistant"=-

Save it to the desktop as file name fix.reg as file type: All files

Once saved, right click it and choose merge.
OK the prompt.
Should get success message.

Reboot

Locate and delete the following folder if it exists:

C:\Program Files\MyContentAssistant <-- this folder.

Then empty recycle bin.

Next:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
    http://i266.photobucket.com/albums/ii277/s...Kas-Savetxt.gif
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

Next:

I don't see an anitivirus program installed.
Today's internet is simply suicide without an up to date antivirus.
Not much point in you and I cleaning up the system if you refuse to protect yourself.
However -- if you don't understand or cannot install an antivirus -- please let me know.

Please download ONE of the following antivirus programs and install it.

Avast:
http://www.avast.com/eng/avast_4_home.html
Tutorial:
http://www.bleepingcomputer.com/tutorials/how-to-use-avast-antivirus/

AVG:
http://free.grisoft.com/doc/1

AntiVir:
http://www.free-av.com/antivirus/allinonen.html

Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
Reboot if it fixed anything.

Please post a fresh hijackthis log here and let me know how the system is running.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 Prplxd

Prplxd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 20 March 2008 - 11:24 AM

I've exhausted the following steps:
____________________________________________________________________________
Copy the following text to a new notepad file.


CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINNT\\system32\\cmd32.exe"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MyContentAssistant"=-


Save it to the desktop as file name fix.reg as file type: All files

Once saved, right click it and choose merge.
OK the prompt.
Should get success message.

Reboot

Locate and delete the following folder if it exists:

C:\Program Files\MyContentAssistant <-- this folder.

Then empty recycle bin.
_________________________________________________________________________________

Should I proceed with the succeeding steps although I did not locate any "MyContentAssistant" Folder?

*Also: my laptop "bloops" intermittenly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users