Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/malware Problem


  • This topic is locked This topic is locked
4 replies to this topic

#1 19dom87

19dom87

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 28 February 2008 - 07:23 PM

Hi, i don't know much about this kind of stuff but would really appreciate your help.
this is what is happening:

Laptop is running very slow and constant error messages keep appearing: e.g "system warning" windows has performed an illegal operation.

In my Local C: drive 100s of new files have appeared under the neames "posC1" or "posC2" all the way up to "posC156"

also when i turn off the computer i get "End program now" windows titles : SMax4PNP and DHTMLSpy


here is a copy of my highjackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:57, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS2\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS2\system32\igfxtray.exe
C:\WINDOWS2\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS2\mrofinu1535.exe
C:\WINDOWS2\system32\mshelp.exe
C:\WINDOWS2\system32\rundll32.exe
C:\WINDOWS2\system32\Rundll32.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\DOCUME~1\DOMWES~1\LOCALS~1\Temp\Rar$EX00.438\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS2\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS2\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS2\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS2\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC412806867680C0EF7F506DCD610837F814E0C79D775A67
O4 - HKLM\..\Run: [Generic Host Process for WinXP Services] mshelp.exe
O4 - HKLM\..\Run: [25b5c2db] rundll32.exe "C:\WINDOWS2\system32\kdeodhfi.dll",b
O4 - HKLM\..\Run: [BM2686f147] Rundll32.exe "C:\WINDOWS2\system32\kqhpxhrp.dll",s
O4 - HKLM\..\RunServices: [Generic Host Process for WinXP Services] mshelp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7164 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:48 PM

Posted 28 February 2008 - 08:10 PM

Hello 19dom87,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 19dom87

19dom87
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 29 February 2008 - 06:34 AM

thanks for the quick response!

My combofix log file is here :

ComboFix 08-02-25.3 - Dom West 2008-02-29 10:57:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.303 [GMT 0:00]
Running from: F:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Helper\1204073417.dll
C:\Program Files\Helper\1204073440.dll
C:\Program Files\Helper\1204073445.dll
C:\Program Files\Helper\1204101043.dll
C:\Program Files\Helper\1204101107.dll
C:\Program Files\inetget2
C:\Program Files\winupdates
C:\Program Files\winupdates\a.tmp
C:\Program Files\winupdates\a.zip
C:\WINDOWS2\b152.exe
C:\WINDOWS2\mrofinu1535.exe
C:\WINDOWS2\system32\fccyvus.dll
C:\WINDOWS2\system32\fipjikpo.dll
C:\WINDOWS2\system32\fipjikpo.dllbox
C:\WINDOWS2\system32\ifhdoedk.ini
C:\WINDOWS2\system32\kdeodhfi.dll
C:\WINDOWS2\system32\kqhpxhrp.dll
C:\WINDOWS2\system32\mcrh.tmp
C:\WINDOWS2\system32\smhjmfdy.dll
C:\WINDOWS2\system32\sqla.dll
C:\WINDOWS2\system32\srqss.ini
C:\WINDOWS2\system32\srqss.ini2
C:\WINDOWS2\system32\ssqrs.dll
C:\WINDOWS2\system32\windows
C:\WINDOWS2\system32\xramrbvt.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 )))))))))))))))))))))))))))))))
.

2008-02-28 14:06 . 2008-02-28 14:07 1,735,594 --a------ C:\dom-tru soul.mpg.m2t.AVI
2008-02-28 13:56 . 2008-02-28 13:57 3,822,428 --a------ C:\lol.AVI
2008-02-28 09:03 . 2008-02-28 09:03 <DIR> d-------- C:\Program Files\JavaCore
2008-02-28 08:50 . 2008-02-29 10:30 22 --a------ C:\WINDOWS2\pskt.ini
2008-02-28 00:23 . 2008-02-28 00:23 2,602,558 --a------ C:\dom-tru porn.m2t.AVI
2008-02-28 00:16 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS2\x2.64.exe
2008-02-28 00:16 . 2007-11-13 09:31 399,360 --a------ C:\WINDOWS2\system32\Smab.dll
2008-02-28 00:16 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS2\system32\x.264.exe
2008-02-28 00:16 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS2\meta4.exe
2008-02-28 00:16 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS2\system32\yv12vfw.dll
2008-02-28 00:16 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS2\system32\i420vfw.dll
2008-02-28 00:16 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS2\MOTA113.exe
2008-02-28 00:16 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS2\system32\AVSredirect.dll
2008-02-28 00:15 . 2008-02-28 00:15 <DIR> d-------- C:\Program Files\eRightSoft
2008-02-27 18:45 . 2008-02-27 18:45 118,784 --a------ C:\WINDOWS2\GREUninstall.exe
2008-02-27 17:42 . 2008-02-27 17:42 <DIR> d-------- C:\Documents and Settings\Dom West\Application Data\Publish Providers
2008-02-27 17:41 . 2008-02-28 22:22 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS2\Application Data\TEMP
2008-02-27 17:30 . 2008-02-27 17:30 <DIR> d-------- C:\Program Files\Sony
2008-02-27 11:26 . 2008-02-27 11:26 <DIR> d-------- C:\Program Files\BitTorrent
2008-02-27 11:08 . 2008-02-28 22:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Lavasoft
2008-02-27 08:30 . 2008-02-27 08:30 54,764 --a------ C:\WINDOWS2\system\hipsrv.mm
2008-02-27 00:50 . 2008-02-28 08:48 86,528 --a------ C:\WINDOWS2\system32\mshelp.exe
2008-02-27 00:50 . 2008-02-28 08:48 86,528 --a------ C:\WINDOWS2\system32\dml.exe
2008-02-27 00:50 . 2008-02-27 08:30 76,288 --a------ C:\arbfikac.exe
2008-02-27 00:50 . 2008-02-27 08:30 58,368 --a------ C:\wpohl.exe
2008-02-27 00:50 . 2008-02-27 00:50 54,764 --a------ C:\WINDOWS2\system\pcximg.pif
2008-02-27 00:50 . 2008-02-28 18:51 219 --a------ C:\WINDOWS2\system32\descript.lnk
2008-02-27 00:50 . 2008-02-27 08:30 2 --a------ C:\632668788
2008-02-27 00:38 . 2008-02-27 00:38 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 00:34 . 2008-02-27 00:34 <DIR> d-------- C:\WINDOWS2\system32\XPSViewer
2008-02-27 00:33 . 2008-02-27 00:33 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 00:32 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS2\system32\spmsg2.dll
2008-02-27 00:21 . 2008-02-27 00:21 <DIR> d-------- C:\Documents and Settings\Dom West\Application Data\Sony Setup
2008-02-27 00:16 . 2008-02-27 17:41 <DIR> d-------- C:\Documents and Settings\Dom West\Application Data\Sony
2008-02-27 00:15 . 2008-02-27 17:31 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Sony
2008-02-27 00:08 . 2008-02-27 00:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-27 00:06 . 2008-02-27 00:09 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-02-27 00:03 . 2008-02-27 17:25 <DIR> d-------- C:\Program Files\Sony Setup
2008-02-26 22:42 . 2004-08-03 23:10 49,024 --a------ C:\WINDOWS2\system32\drivers\mstape.sys
2008-02-26 22:42 . 2004-08-03 23:10 49,024 --a--c--- C:\WINDOWS2\system32\dllcache\mstape.sys
2008-02-26 22:42 . 2004-08-03 23:10 13,696 --a------ C:\WINDOWS2\system32\drivers\avcstrm.sys
2008-02-26 22:42 . 2004-08-03 23:10 13,696 --a--c--- C:\WINDOWS2\system32\dllcache\avcstrm.sys
2008-02-11 22:22 . 2008-02-11 22:22 <DIR> d-------- C:\Program Files\MagicISO
2008-02-04 20:29 . 2008-02-27 11:26 <DIR> d-------- C:\Program Files\DNA
2008-02-04 20:29 . 2008-02-29 11:23 <DIR> d-------- C:\Documents and Settings\Dom West\Application Data\DNA
2008-02-04 20:29 . 2008-02-27 18:23 <DIR> d-------- C:\Documents and Settings\Dom West\Application Data\BitTorrent
2008-02-03 17:55 . 2008-02-03 17:55 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-03 17:52 . 2008-02-03 17:54 <DIR> d-------- C:\WINDOWS2\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 22:34 --------- d-----w C:\Program Files\Lavasoft
2008-02-27 22:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-27 19:32 --------- d-----w C:\Program Files\Picasa2
2008-02-27 17:31 --------- d-----w C:\Program Files\VstPlugins
2008-02-27 16:57 --------- d-----w C:\Program Files\ahead
2008-02-27 16:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\Retrospect
2008-02-27 00:10 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-12 21:43 --------- d-----w C:\Program Files\Soulseek
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS2\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS2\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS2\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-04 12:31 68856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-27 11:26 290112]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 21:18 443968]
"JavaCore"="C:\Program Files\JavaCore\JavaCore.exe" [2008-02-28 09:03 144896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS2\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 12:00 208952]
"PHIME2002ASync"="C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 12:00 455168]
"PHIME2002A"="C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 12:00 455168]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"IgfxTray"="C:\WINDOWS2\system32\igfxtray.exe" [2004-12-13 14:43 155648]
"HotKeysCmds"="C:\WINDOWS2\system32\hkcmd.exe" [2004-12-13 14:38 126976]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-09-07 16:28 213054]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-26 23:25 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Generic Host Process for WinXP Services"="mshelp.exe" [2008-02-28 08:48 86528 C:\WINDOWS2\system32\mshelp.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Generic Host Process for WinXP Services"="mshelp.exe" [2008-02-28 08:48 86528 C:\WINDOWS2\system32\mshelp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS2\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^Dom West^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Dom West\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS2\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2004-08-24 11:20 88363 C:\WINDOWS2\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-02-08 16:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 13:24 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-04-11 15:21 794624 C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 18:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 03:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-10-04 12:31 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-26 23:25 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3186:UDP"= 3186:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"3187:UDP"= 3187:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS2\system32\DRIVERS\avcstrm.sys [2004-08-03 23:10]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-10 05:29]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS2\system32\DRIVERS\mstape.sys [2004-08-03 23:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 12:13:04 C:\WINDOWS2\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-29 10:45:04 C:\WINDOWS2\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 11:24:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?7?0?3??????? ???B???????????????B? ??????
Generic Host Process for WinXP Services = mshelp.exe?
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Generic Host Process for WinXP Services = mshelp.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-29 11:29:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-29 11:29:47
.
2008-02-28 09:24:53 --- E O F ---













and here is my hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:55, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS2\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS2\system32\igfxtray.exe
C:\WINDOWS2\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS2\system32\mshelp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS2\explorer.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DOMWES~1\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS2\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS2\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS2\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Generic Host Process for WinXP Services] mshelp.exe
O4 - HKLM\..\RunServices: [Generic Host Process for WinXP Services] mshelp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS2\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7380 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:48 PM

Posted 29 February 2008 - 10:34 PM

Hello,

You're welcome. :thumbsup:

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
I notice that you do not seem to be running Antivirus software. This is somewhat suicidal in today's digital world. That's why I want you to install one!!

AVG, Avira OR Avast are good FREE antivirus. Run a full system scan with the one you chose and let it clean what it finds.

How is it running now, please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:48 PM

Posted 09 March 2008 - 03:28 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users