Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Ad Pop-up Possibly Vundo


  • This topic is locked This topic is locked
15 replies to this topic

#1 jlegnosky

jlegnosky

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 11 March 2008 - 09:29 PM

I am having an issue with some sort of pop-up malware. I've come across a couple of posts that list some of the files that keep poping up as potential files associated with the vundo virus. I downloaded a vundo fix program but it does not seem to help. I can clean the issue up, but as soon as I reboot it starts all over again.I have used multiple scanning and cleaning tools and nothing seems to work. I also seem to have something that is using up a lot of my processors availability, it may be one and the same issue. I have security task manager which has shown that TMListen is one of the processor hogs. According to the listing in security task manager it is part of my anti-virus program but when I quarantine the TMListen my processor issues improve dramatically. If you need any further information please let me know.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:19 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BMbb39b505] Rundll32.exe "C:\WINDOWS\system32\ubivabfe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01.hagersmith.com:4343/office...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server01.hagersmith.com:4343/office...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server01.hagersmith.com:4343/office...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server01.hagersmith.com:4343/office.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192733269781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server01.hagersmith.com:4343/SMB/co...root/AtxEnc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\Software\..\Telephony: DomainName = hagersmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hagersmith.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 9375 bytes


I thought it might be more helpful to post a log from right after a reboot, before I quarantined any running programs so here that is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:19 AM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\TEMP\UH8401.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BMbb39b505] Rundll32.exe "C:\WINDOWS\system32\omlndhuk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01.hagersmith.com:4343/office...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server01.hagersmith.com:4343/office...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server01.hagersmith.com:4343/office...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server01.hagersmith.com:4343/office.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192733269781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server01.hagersmith.com:4343/SMB/co...root/AtxEnc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\Software\..\Telephony: DomainName = hagersmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hagersmith.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 9232 bytes

Edited by jlegnosky, 12 March 2008 - 07:39 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:04 AM

Posted 12 March 2008 - 04:38 PM

Hello jlegnosky,

Welcome to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jlegnosky

jlegnosky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 13 March 2008 - 07:38 PM

Ok, here is the combofix log followed by the hjt log. System seems to be running a bit better already.



ComboFix 08-03-13.4 - jason 2008-03-13 20:08:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1405 [GMT -4:00]
Running from: C:\Documents and Settings\jason\My Documents\My Received Files\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ajqxbopu.dll
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\exrvyugw.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\htgcnkyy.ini
C:\WINDOWS\system32\jiafrhba.dll
C:\WINDOWS\system32\kapertbm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rcjngnsj.dll
C:\WINDOWS\system32\vkkssfwh.dll
C:\WINDOWS\system32\yykncgth.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 15:02 . 2008-03-13 15:03 414 ---hs---- C:\WINDOWS\system32\bychpbvn.ini
2008-03-12 15:00 . 2008-03-13 15:00 354 ---hs---- C:\WINDOWS\system32\ddicurae.ini
2008-03-12 13:41 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-12 13:04 . 2008-03-12 13:04 <DIR> d-------- C:\Program Files\eRoom 7
2008-03-12 13:04 . 2008-03-12 13:04 <DIR> d-------- C:\Documents and Settings\jason\Application Data\eRoom
2008-03-12 13:04 . 2008-03-12 13:04 <DIR> d-------- C:\DOCUME~1\jason\APPLIC~1\eRoom
2008-03-11 15:01 . 2008-03-11 19:10 354 ---hs---- C:\WINDOWS\system32\ydfxwwes.ini
2008-03-11 13:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-11 13:36 . 2008-03-11 13:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-11 13:36 . 2008-03-11 13:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-11 13:36 . 2008-03-11 13:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-11 13:35 . 2008-03-11 14:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 06:36 . 2008-03-11 15:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-11 06:36 . 2008-03-11 06:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2008-03-10 21:41 . 2008-03-10 21:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-10 21:41 . 2008-03-10 21:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2008-03-10 21:40 . 2008-03-10 21:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 14:58 . 2008-03-11 08:40 1,318,223 ---hs---- C:\WINDOWS\system32\heptqakr.ini
2008-03-10 09:16 . 2008-03-10 09:34 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-10 09:16 . 2008-03-12 08:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SecTaskMan
2008-03-10 00:06 . 2008-03-10 07:33 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-09 16:28 . 2008-03-09 16:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-09 14:58 . 2008-03-10 08:37 1,307,690 --ahs---- C:\WINDOWS\system32\lsykqtlg.ini
2008-03-09 14:04 . 2008-03-10 08:52 <DIR> d-------- C:\VundoFix Backups
2008-03-09 11:52 . 2008-03-09 13:12 1,307,570 --ahs---- C:\WINDOWS\system32\pkmrkcpp.ini
2008-03-07 14:19 . 2008-03-07 14:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-07 14:07 . 2008-03-07 14:51 <DIR> d-------- C:\SDFix
2008-03-07 13:47 . 2008-03-07 13:47 244 --ah----- C:\sqmnoopt00.sqm
2008-03-07 13:47 . 2008-03-07 13:47 232 --ah----- C:\sqmdata00.sqm
2008-03-03 15:02 . 2008-03-07 16:33 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 15:02 . 2008-03-03 15:03 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 15:02 . 2008-03-03 15:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WLInstaller
2008-02-22 15:25 . 2008-02-24 13:59 <DIR> d-------- C:\Documents and Settings\jason\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 13:18 --------- d-----w C:\Program Files\Java
2008-03-12 01:53 --------- d-----w C:\Program Files\Trend Micro
2008-03-11 19:00 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-11 18:50 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-07 20:35 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2008-03-07 20:29 --------- d-----w C:\Program Files\Print Exec LT
2008-03-03 19:04 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 19:56 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Microsoft Help
2008-02-06 18:38 --------- d-----w C:\Program Files\Microsoft Works
2008-02-06 18:09 --------- d-----w C:\Program Files\sunburner
2008-02-06 18:05 --------- d-----w C:\Program Files\Digital Locker Assistant
2008-02-06 18:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-06 17:48 --------- d-----w C:\Program Files\IrfanView
2007-10-26 13:39 128,431,768 -c--a-w C:\Program Files\SetupDWGTrueView.exe
2006-07-21 18:41 349 -c--a-w C:\Program Files\INSTALL.LOG
2006-06-16 17:25 431,104 -c--a-w C:\Program Files\6-15choate.dgn
2003-12-18 15:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 11:46 10,960 -c--a-w C:\Program Files\EULA.txt
2007-05-29 14:10 19,104 -c--a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2007-06-18 14:15 94,872 -c--a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
2007-05-29 14:11 81,920 -c--a-w C:\Program Files\mozilla firefox\plugins\atsc3cls.dll
2007-05-29 14:11 92,320 -c--a-w C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-02-28 14:31 839680]
"ShowLOMControl"="1 (0x1)" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-21 20:03 7557120]
"nwiz"="nwiz.exe" [2006-03-21 20:03 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-03-21 20:03 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 12:17 282624 C:\WINDOWS\stsystra.exe]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2006-11-10 01:17 381005]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\jason\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - C:\Program Files\eRoom 7\ERClient7.exe [2008-03-12 13:04:23 153352]

C:\DOCUME~1\jason\STARTM~1\Programs\Startup\
Monitor My eRooms (V7).lnk - C:\Program Files\eRoom 7\ERClient7.exe [2008-03-12 13:04:23 153352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= C:\WINDOWS\system32\ieframe.dll [2007-12-06 22:21 6066176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxutsr]
byxutsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3594009498-570935319-3462869367-1312\Scripts\Logon\0\0]
"Script"=MappedDrives.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\msgsys.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk® PXE TCP Port
"67:UDP"= 67:UDP:LANDesk® PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 20:15:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\TEMP\DP8B7B.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-13 20:27:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 00:27:08
.
2008-03-12 02:36:24 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:30, on 2008-03-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\TEMP\DP8B7B.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01.hagersmith.com:4343/office...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server01.hagersmith.com:4343/office...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server01.hagersmith.com:4343/office...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server01.hagersmith.com:4343/office.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192733269781
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://qceroom.qualcomm.com/eRoomSetup/client.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server01.hagersmith.com:4343/SMB/co...root/AtxEnc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\Software\..\Telephony: DomainName = hagersmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hagersmith.com
O20 - Winlogon Notify: byxutsr - byxutsr.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 9517 bytes

#4 jlegnosky

jlegnosky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 13 March 2008 - 10:50 PM

After reboot the only odd program that I'm still seeing in Security Task Manager is a file that changes its name everytime I reboot. It always has a program symbol of a dog and is always located in the TEMP folder. This time it is listed as C:\\WINDOWS\TEMP\AKD639.EXE.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:04 AM

Posted 13 March 2008 - 11:37 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\bychpbvn.ini
C:\WINDOWS\system32\ddicurae.ini
C:\WINDOWS\system32\ydfxwwes.ini
C:\WINDOWS\system32\heptqakr.ini
C:\WINDOWS\system32\lsykqtlg.ini
C:\WINDOWS\system32\pkmrkcpp.ini
C:\WINDOWS\TEMP\DP8B7B.EXE
C:\\WINDOWS\TEMP\AKD639.EXE

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxutsr]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 jlegnosky

jlegnosky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 14 March 2008 - 07:44 AM

OK, here's the combo fix log, followed by the hjt log.

ComboFix 08-03-13.4 - jason 2008-03-14 8:34:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1479 [GMT -4:00]
Running from: C:\Documents and Settings\jason\My Documents\My Received Files\ComboFix.exe
Command switches used :: C:\Documents and Settings\jason\My Documents\My Received Files\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\\WINDOWS\TEMP\AKD639.EXE
C:\WINDOWS\system32\bychpbvn.ini
C:\WINDOWS\system32\ddicurae.ini
C:\WINDOWS\system32\heptqakr.ini
C:\WINDOWS\system32\lsykqtlg.ini
C:\WINDOWS\system32\pkmrkcpp.ini
C:\WINDOWS\system32\ydfxwwes.ini
C:\WINDOWS\TEMP\DP8B7B.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bychpbvn.ini
C:\WINDOWS\system32\ddicurae.ini
C:\WINDOWS\system32\heptqakr.ini
C:\WINDOWS\system32\lsykqtlg.ini
C:\WINDOWS\system32\pkmrkcpp.ini
C:\WINDOWS\system32\ydfxwwes.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-12 13:41 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-12 13:04 . 2008-03-12 13:04 <DIR> d-------- C:\Program Files\eRoom 7
2008-03-12 13:04 . 2008-03-12 13:04 <DIR> d-------- C:\Documents and Settings\jason\Application Data\eRoom
2008-03-11 13:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-11 13:36 . 2008-03-11 13:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-11 13:36 . 2008-03-11 13:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-11 13:36 . 2008-03-11 13:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-11 13:35 . 2008-03-11 14:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 06:36 . 2008-03-11 15:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-11 06:36 . 2008-03-11 06:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2008-03-10 21:41 . 2008-03-10 21:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-10 21:41 . 2008-03-10 21:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2008-03-10 21:40 . 2008-03-10 21:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 09:16 . 2008-03-10 09:34 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-10 09:16 . 2008-03-13 23:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SecTaskMan
2008-03-10 00:06 . 2008-03-10 07:33 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-09 16:28 . 2008-03-09 16:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-09 14:04 . 2008-03-10 08:52 <DIR> d-------- C:\VundoFix Backups
2008-03-07 14:19 . 2008-03-07 14:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-07 14:07 . 2008-03-07 14:51 <DIR> d-------- C:\SDFix
2008-03-07 13:47 . 2008-03-07 13:47 244 --ah----- C:\sqmnoopt00.sqm
2008-03-07 13:47 . 2008-03-07 13:47 232 --ah----- C:\sqmdata00.sqm
2008-03-03 15:02 . 2008-03-07 16:33 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 15:02 . 2008-03-03 15:03 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 15:02 . 2008-03-03 15:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WLInstaller
2008-02-22 15:25 . 2008-02-24 13:59 <DIR> d-------- C:\Documents and Settings\jason\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 13:18 --------- d-----w C:\Program Files\Java
2008-03-12 01:53 --------- d-----w C:\Program Files\Trend Micro
2008-03-11 19:00 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-11 18:50 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-07 20:35 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2008-03-07 20:29 --------- d-----w C:\Program Files\Print Exec LT
2008-03-03 19:04 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 19:56 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Microsoft Help
2008-02-06 18:38 --------- d-----w C:\Program Files\Microsoft Works
2008-02-06 18:09 --------- d-----w C:\Program Files\sunburner
2008-02-06 18:05 --------- d-----w C:\Program Files\Digital Locker Assistant
2008-02-06 18:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-06 17:48 --------- d-----w C:\Program Files\IrfanView
2007-12-14 15:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-10-26 13:39 128,431,768 -c--a-w C:\Program Files\SetupDWGTrueView.exe
2006-07-21 18:41 349 -c--a-w C:\Program Files\INSTALL.LOG
2006-06-16 17:25 431,104 -c--a-w C:\Program Files\6-15choate.dgn
2003-12-18 15:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 11:46 10,960 -c--a-w C:\Program Files\EULA.txt
2007-05-29 14:10 19,104 -c--a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2007-06-18 14:15 94,872 -c--a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
2007-05-29 14:11 81,920 -c--a-w C:\Program Files\mozilla firefox\plugins\atsc3cls.dll
2007-05-29 14:11 92,320 -c--a-w C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-13_20.27.01.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-13 23:51:50 71,370 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-14 12:27:17 71,370 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-13 23:51:50 439,832 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-14 12:27:18 439,832 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-02-28 14:31 839680]
"ShowLOMControl"="1 (0x1)" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-21 20:03 7557120]
"nwiz"="nwiz.exe" [2006-03-21 20:03 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-03-21 20:03 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 12:17 282624 C:\WINDOWS\stsystra.exe]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2006-11-10 01:17 381005]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\jason\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - C:\Program Files\eRoom 7\ERClient7.exe [2008-03-12 13:04:23 153352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= C:\WINDOWS\system32\ieframe.dll [2007-12-06 22:21 6066176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3594009498-570935319-3462869367-1312\Scripts\Logon\0\0]
"Script"=MappedDrives.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\msgsys.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk® PXE TCP Port
"67:UDP"= 67:UDP:LANDesk® PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 08:38:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-14 8:38:41
ComboFix-quarantined-files.txt 2008-03-14 12:38:34
ComboFix2.txt 2008-03-14 00:27:12
.
2008-03-12 02:36:24 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:40, on 2008-03-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01.hagersmith.com:4343/office...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server01.hagersmith.com:4343/office...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server01.hagersmith.com:4343/office...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server01.hagersmith.com:4343/office.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192733269781
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://qceroom.qualcomm.com/eRoomSetup/client.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server01.hagersmith.com:4343/SMB/co...root/AtxEnc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\Software\..\Telephony: DomainName = hagersmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hagersmith.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 9361 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:04 AM

Posted 14 March 2008 - 08:40 AM

Hello,

Any sign of the morphing temp file? Both of those logs look good. How is it running please? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 jlegnosky

jlegnosky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 14 March 2008 - 09:05 AM

It's running better, but the morphing file has returned now that I have re-booted. This time it is called AK57DF.EXE but of course that will change if I have to re-boot again. The only constant is the running dog symbol next to it and that Security Task Manager cannot identify a title or manufacturer for it.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:04 AM

Posted 14 March 2008 - 09:22 AM

Try deleting it in safe mode.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 jlegnosky

jlegnosky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 14 March 2008 - 10:55 AM

I tried to remove it in safe mode but it just came back once I re-booted. Oddly enough it didn't start-up in safe mode but it still changed its name for the reboot. After taking a closer look at the Security Task Manager program (I only dl'd it recently and haven't had a chance to check out all the bells and whistles) I noticed there is a "Text in file" box. I looked in the text for that particular file and did a search on the name ofcdog that shows up several times in the text file. It appears to be part of Trend Micro's antivirus program so I'm guessing it's ok to stay. I'm including a copy of the text file for the program for you to look at so if you get another user with the mysterious morphing dog program you'll be familiar with it and not have to go thru another wild goose chase (or I suppose dog chase would be more appropriate).

Text from the morphing dog file:

Max Log
This program cannot be run in DOS mode.
QQESVWxj Ye
runtime error
TLOSS error
DOMAIN error
abnormal program termination
Microsoft Visual C
Runtime Error
program name unknown
Application Path
There is an ofcdog instance exist. Dont create another.
Process Register to watchdog by Name
Process UnRegister to watchdog by Name
Service Register to watchdog by NAME
This is the only one instance.
Another instance is running. Process returns.
WinMain entry.
OfcDog Load tmdbg20.dll error, Error code u
The malicious process s
DUMP m_arServiceGuard
DUMP m_arProcessGuard
DUMP dwID, cPath, cName, nRetryCount, nRetryCountLimit
OK OnCreate, GetCurrentDirectory
OK OnClose
FAILRegServThe process is NOT a valid process, cName s, cPath s
OK RegServThe process is add to m_arServiceGuard, cName s, cPath s
FAILOnRegProcByNameThe process is NOT a valid process, cName s, cPath s
OK RegProcThe process is add to m_arProcessGuard, cName s, cPath s
OK RegProcThe process was registered before, cName s, cPath s, wRetryCount d, wRetryInterval d
FAILOnRegServByNameGetProcessInfoByName fail, cName s, cPath s
FAILUnRegProc Cant find, cName s, cPath s
OK UnRegProc remove from m_arServiceGuard, cName s, cPath s
OK UnRegProc remove from m_arProcessGuard, cName s, cPath s
OK OnRegProcByNameThe process is add to m_arProcessGuard, cName s, cPath s
OK OnRegProcByNameThe process was registered before, cName s, cPath s, wRetryCount d, wRetryInterval d
FAILOnRegProcByNameGetProcessInfoByName fail, cName s, cPath s
FAILOnRegServByNamebPopServbPopNamebPopPath, bPopServ d, bPopName d, bPopPath d, cService s, cName s, cPath s
FAILOnRegServByNameThe process is NOT a valid process, cName s, cPath s
OK OnRegServByNameThe process is add to m_arServiceGuard, cName s, cPath s
OK OnRegServByNameThe process was registered before, cName s, cPath s, wRetryCount d, wRetryInterval d
OK OnUnRegProcByName remove from m_arServiceGuard, cName s, cPath s
OK OnUnRegProcByName remove from m_arProcessGuard, cName s, cPath s
FAILOnUnRegProcByName Cant find, cName s, cPath s
FAILFail to LoadLibrary kernel32.dll , err_no d
FAILFail to GetProcAddress RegisterServiceProcess , err_no d
OK RegisterAsService
MSG GuardAlert s
Default Retry Interval
Default Retry Count
Application Filename
OFCNT Process Name
OFCNT Service Name
Global Setting
Dog Process Name
TmListen Process Name
TmListen Service Name
OfcPfwSvc Process Name
OfcPfwSvc Service Name
PccNTMon Process Name
d, MonitorTick d
----------------
abcdefghijklmnopqrstuvwxyz
NKeb
.AVtype_info
.AVCUserException
.AVCResourceException
.AVCTempGdiObject
.AVCGdiObject
.AVCTempMenu
.AVCMapPtrToPtr
.AVCHandleMap
.AVCArchiveException
.AUCThreadData
.AVCNotSupportedException
.AVCMemoryException
.AVCSimpleException
.AVCException
.PAVCMemoryException
.PAVCSimpleException
.PAVCObject
.AVCNoTrackObject
.AVCTempWnd
.AVCTestCmdUI
.AVCCmdTarget
.PAVCArchiveException
.PAVCException
.AVCStringArray
d,RetryCount
Monitor, RetryTick
d MonitorTick d
d,RetryCount
Alive, RetryTick
d tries.
restarted successfully after
Client
Wait for WakeUP, CountDown d
PrevName
pccntmon.exe
OfcPfwSvc.exe
tmlisten
tmlisten.exe
CreateToolhelp32Snapshot
Process32First
Process32Next
Module32First
Module32Next
EnumProcesses
GetModuleFileNameExA
GetModuleBaseNameA
EnumProcessModules
WatchDogRetry
WatchDogCheckInterval
Corp\CurrentVersiona
Software\
WatchDog
ofcdog.exe
ofcscan.ini
\ofcscan.ini
WatchDogRunInTempDir
WatchDogUseRandomName
ntrtscan
ntrtscan.exe
Mode
Server
VirtualPath
/cgionspeciallog.exe
ServerPort
UseProxy
ProxyServer
ProxyPort
ProxyLogin
ProxyPwd
CgiOnSpecialLog
_dogtemp_
ddesc
stype
sscomputer
kernel32.dll
RegisterServiceProcess
FAILOnUnRegProcByNamebPopNamebPopPath
DogVarServiceName
DogVarProcessName
DogVarProcessPath
FAILOnRegProcByNamebPopNamebPopPath
OnCreate
Global\OFCDOGUNLOCKDONE
ClientFolder
u attacked OfficeScan Client. The malicious process had been terminated and renamed as s.
\ofcdebug.ini
SD_InitDebug_with_Ini_0200
SD_TraceA_0200
spccwin97.exe
OfficeScan95
Software\Microsoft\Windows\CurrentVersion\RunServices
ImmDisableIME
upgrade.exe
ClientFolderTemp\
GetModuleHandleA
FreeLibrary
Kernel32.dll
VirtualAllocEx
VirtualFreeEx
CreateRemoteThread
OsceProt.dll
loadhttp.dll
C_UnRegWatchDog_Ofc_TMLISTEN
C_UnRegWatchDog_Ofc_PCCNTMON
C_UnRegWatchDog_Ofc_OFCPFWSVC
C_UnRegWatchDog_Ofc
C_RegWatchDog_Ofc_TMLISTEN
C_RegWatchDog_Ofc_PCCNTMON
C_RegWatchDog_Ofc_OFCPFWSVC
C_RegWatchDog_Ofc
C_IsIPChanged
UnRegWatchDog_Ofc_TMLISTEN
UnRegWatchDog_Ofc_PCCNTMON
UnRegWatchDog_Ofc_OFCPFWSVC
UnRegWatchDog_Ofc_NTRT
UnRegWatchDog_Ofc_95
UnRegWatchDog_Ofc
StepRetryTmProcessGuard
StepMonitorTmProcessGuard
SetRetryTickLimitTmProcessGuard
SetRetryCountLimitTmProcessGuard
SetProcessIDTmProcessGuard
SetMonitorTmProcessGuard
RetryWakeupProcessTmServiceGuard
RetryWakeupProcessTmProcessGuard
ResetRetryVarTmProcessGuard
ResetRetryTickTmProcessGuard
ResetRetryCountTmProcessGuard
ResetMonitorTmProcessGuard
RegWatchDog_Ofc_TMLISTEN
RegWatchDog_Ofc_PCCNTMON
RegWatchDog_Ofc_OFCPFWSVC
RegWatchDog_Ofc_NTRT
RegWatchDog_Ofc_95
RegWatchDog_Ofc
QBEXAAVCStringArray
QueryAllLogTmProcessGuard
IsValidProcessTmProcessGuard
IsTheSameTmProcessGuard
IsTheSameTmProcessGuard
QBE_NABVCString
IsTheSameTmProcessGuard
IsRetryNowTmProcessGuard
IsProcessAliveTmServiceGuard
IsProcessAliveTmProcessGuard
IsNTPlatform
IsMonitorTmProcessGuard
IsIPChanged
QBEXAAKAAVCString
GetGuardInfoTmProcessGuard
QAE_NAAVCStringArray
CheckProcessTmProcessGuard
BackupServiceTmServiceGuard
_7TmServiceGuard
_7TmProcessGuard
4TmServiceGuard
4TmProcessGuard
1TmServiceGuard
1TmProcessGuard
0TmServiceGuard
0TmServiceGuard
0TmServiceGuard
0TmProcessGuard
0TmProcessGuard
0TmProcessGuard
OfcDog.exe
DeleteServicepRegNotifyChangeKeyValue
CreateServiceA
StartServiceAUQueryServiceStatus
EOpenSCManagerA
GOpenServiceA
CloseServiceHandle
dRegDeleteValueAPQueryServiceConfigA4
RegSetValueExA
rRegOpenKeyExA_RegCreateKeyExA
RegQueryValueExA
RegCloseKey
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
OpenPrinterA
DocumentPropertiesA
ClosePrinter
comdlg32.dll
Escape
ExtTextOutA
TextOutA
RectVisible
PtVisible
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SetMapMode
_GetStockObject
SelectObject
RestoreDC
DeleteDC
GetDeviceCapsP
DeleteObject
CreateBitmap
OGetObjectA
SetBkColor
SetTextColor
GetClipBox
DrawTextAdGrayStringA
DestroyMenusTabbedTextOutA
ReleaseDC
DGetSysColorBrush
ClientToScreen
PtInRect
GetClassNameA
IsWindowEnabled
SetWindowTextA
GetMenuCheckMarkDimensions
LoadBitmapA
GetMenuState
ModifyMenuA
CheckMenuItem9SetMenuItemBitmaps
EnableMenuItem
LoadStringA3GetNextDlgTabItem
MapWindowPoints
CGetSysColor
PeekMessageA
GetFocus
/SetFocus
AdjustWindowRectEx
GetClientRect
CopyRect
EnableWindow
MessageBoxALGetTopWindow
5GetParent
GetCapture
WinHelpA
GetClassInfoA
RegisterClassA
GetMenu
GetMenuItemCount
GetMenuItemIDBGetSubMenu
GetDlgItem
GetWindowTextA
GetDlgCtrlID
GetKeyState
bSetWindowsHookExA
CallNextHookEx
GetClassLongA
UnhookWindowsHookExBSetPropA
GetPropA
CallWindowProcA
RemovePropA
GetMessageTime
,GetMessagePos
GetLastActivePopup
GetForegroundWindow
RGetWindow0SetForegroundWindow
VGetWindowLongA
XSetWindowLongA
SetWindowPos
qSystemParametersInfoA
IsIconic
GetWindowPlacement
\GetWindowRect
FGetSystemMetrics
SendMessageA
PostMessageA
FindWindowA
wsprintfA
KillTimer
DestroyWindow
PostQuitMessageRSetTimer
DefWindowProcA
CreateWindowExA
jShowWindow
UpdateWindow
LoadIconA
LoadCursorA
RegisterClassExA
GetMessageA
DispatchMessageA
TranslateMessage
RegisterWindowMessageA
bSetEnvironmentVariableA
CompareStringW
CompareStringA
SetStdHandle
IsBadCodePtr
IsBadReadPtr
SetUnhandledExceptionFilter
IsBadWritePtr
VirtualFree
HeapCreate
HeapDestroy
GetEnvironmentVariableA
GetFileType
RGetStdHandle
mSetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
VGetStringTypeW
SGetStringTypeA
LCMapStringW
LCMapStringA
HeapReAlloc
HeapSize
RaiseException
HeapFree
HeapAlloc
ExitProcess
GetCommandLineA
PGetStartupInfoA
GetLocalTime
GetSystemTime
pGetTimeZoneInformation
ExitThread
CreateThread
/RtlUnwind
GetFileAttributesA
FlushFileBuffers
WriteFilejSetFilePointer
GetCurrentProcess
GetCPInfo1GetOEMCP
GlobalFlagsEGetProcessVersion
TlsGetValue,ResumeThread
LocalReAlloc
TlsSetValue
GlobalAlloc
GlobalReAlloc
GlobalLock
GlobalHandle
GlobalUnlock
GlobalFree
TlsAlloc
qSetLastError
GetCurrentThreadId
GlobalGetAtomNameA
GlobalAddAtomA
GlobalFindAtomA
GlobalDeleteAtom
MultiByteToWideChar
WideCharToMultiByte
InterlockedDecrement
InterlockedIncrement
WaitForMultipleObjects
lstrlenA
LocalAlloc
LocalFree
GetModuleFileNameA
TerminateProcess
MoveFileExA
tGetVersion
VirtualAlloc
DeleteFileA
CopyFileA4GetPrivateProfileIntAmGetTickCount
CreateProcessA
SleepD
uGetVersionExA
GetComputerNameA
eGetTempPathA
DeleteCriticalSectioncGetTempFileNameA
CreateEventA
InitializeCriticalSection1
GetCurrentDirectoryA
lstrcmpiA
OpenFile
FindFirstFileA
FindNextFileA
FindClose
EnterCriticalSection
_lclosef
LeaveCriticalSection
eSetEvent
ResetEvent
YGetSystemDirectoryA
GetLastError
CreateMutexA
GetModuleHandleA
WaitForSingleObject
GetExitCodeThread
OpenProcess
CloseHandle
ReadProcessMemory
WriteProcessMemory
lstrcatA
GetCurrentProcessId
LoadLibraryA
GetProcAddress
FreeLibrary
MessageBoxA
GetActiveWindow
GetLastActivePopup
JanFebMarAprMayJunJulAugSepOctNovDec
SunMonTueWedThuFriSat
GAIsProcessorFeaturePresent
Program
Runtime Library
floating point not loaded
not enough space for arguments
not enough space for environment
not enough space for thread data
unexpected multithread lock error
unexpected heap error
unable to open console device
not enough space for _onexit/atexit table
pure virtual function call
not enough space for stdio initialization
not enough space for lowio initialization
unable to initialize heap
null
null
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
June
July
August
September
October
November
December
CResourceException
CUserException
CGdiObject
CTempGdiObject
CMenu
CTempMenu
CMapPtrToPtr
combobox
CCmdTarget
CArchiveException
CException
CMemoryException
CNotSupportedException
InitCommonControlsEx
commctrl_DragListMsg
GetSystemMetrics
MonitorFromWindow
MonitorFromRect
MonitorFromPoint
EnumDisplayMonitors
GetMonitorInfoA
AfxOleControl42s
AfxFrameOrView42s
AfxMDIFrame42s
AfxControlBar42s
AfxOldWndProc423
CTempWnd
CObject
CStringArray
wawlwzZwonw
EjPu
EujX
ujjVQMj
FhiA
FtSu
EumA
_ujSh
EhiA
VhiA
VhiA
EuCu
EPuhn
Vugu
EsquS
BWuu
Yut9ut
0SVWe39pBj_uW
tItIuPj
YuWu
JudL
BuWj
ujtj
csmu
tP8csmu,9xv
BufEf
BufEf
BufEf
VuWe
Ot,ou
8O\ltxu
uhdFBh
.data
.rdata
.text
CRich

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:04 AM

Posted 14 March 2008 - 04:54 PM

Hello,

Well I never......okie dokie then. Thanks for the info. I've never used Trend personally, and have never heard such a thing. The info will certainly come in handy! :blink: Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Can I see a final HijackThis log after the last removals? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 jlegnosky

jlegnosky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 14 March 2008 - 05:18 PM

Since you've been so helpful to me I'm glad I could return the favor with that little tidbit of new info for you.

Here's the latest and greatest hjt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\TEMP\YSB2AA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01.hagersmith.com:4343/office...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server01.hagersmith.com:4343/office...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server01.hagersmith.com:4343/office...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server01.hagersmith.com:4343/office.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192733269781
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://qceroom.qualcomm.com/eRoomSetup/client.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server01.hagersmith.com:4343/SMB/co...root/AtxEnc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\Software\..\Telephony: DomainName = hagersmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hagersmith.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hagersmith.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 9431 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:04 AM

Posted 16 March 2008 - 05:03 PM

Hi there,

Looks good. :thumbsup:
Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 jlegnosky

jlegnosky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 16 March 2008 - 09:36 PM

Thank you very much for your time and expertise.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:04 AM

Posted 16 March 2008 - 11:13 PM

You're most welcome. Posted Image
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users