Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winreanimator & Braviax.exe


  • Please log in to reply
10 replies to this topic

#1 mark J Chomiczewski

mark J Chomiczewski

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2008 - 12:30 AM

Hi,

I was instructed from another forum to download HiJackThis and post the log file. Unfortunately, after downloading the program, it will not launch, even in safe mode. I have been battling this malware for days now, and my many attempts and software downalods, have no success. My latest attempts was to run Gmer and post log. I then downloaded KillBox and entered two c:drive paths to remove, but it didn't work. Now I am trying to grab a log file from HiJackThis....but it will not work.

hELP!

Mark

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 15 March 2008 - 08:33 AM

Hello mark J Chomiczewski

Please print out these instructions or copy and paste this fix into Notepad for future reference as you will be required to reboot into Safe Mode.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum and also please try running HijackThis and posting this log back to me.
Thank you.

#3 mark J Chomiczewski

mark J Chomiczewski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2008 - 08:41 AM

Hi,

Thanks for your help! I will try this again, but when I did this several days ago it ran for about 3 seconds after clicking Y, then went into a blue screen with lots of text scrolling down, and lasted only seconds so I could not read the entire contents before rebooting. I could grasp "INVALID_PROCESS_ATTACH_ATTEMPT".

I also tried Smitfraud, Combofix, Malwarebytes Anti Malware, Killbox........and Gmer for some type of log. In most cases, I've had to rename file because the program simply would not launch. This is just for your background....I'm willing to try as often as needed to get this fixed.

I could never get beyond that.....but I will try once more and let you know.

Thanks again!!

Mark

#4 mark J Chomiczewski

mark J Chomiczewski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2008 - 08:51 AM

Hi again,

Just tried SDfix, and same thing happened. I got that blue screen with Invalid Attach Attempt and then reboot. How can I get around this?

Fo your information, here is the two Gmer attempts I made .......but in neither case it rid the damn thing......:




GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-14 21:27:50
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\Beep.SYS ZwQuerySystemInformation [0xF7928194]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[300] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 10002240 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)
.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[300] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 10002610 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)
.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[300] USER32.dll!SetLayeredWindowAttributes 7E41EDDA 5 Bytes JMP 10002640 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)
.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[300] USER32.dll!UpdateLayeredWindow 7E41F5EB 5 Bytes JMP 100027F0 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)

---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\system32\braviax.exe (*** hidden *** ) 1900

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-14 22:52:49
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\Beep.SYS ZwQuerySystemInformation [0xF78D8194]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[1120] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 10002240 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)
.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[1120] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 10002610 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)
.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[1120] USER32.dll!SetLayeredWindowAttributes 7E41EDDA 5 Bytes JMP 10002640 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)
.text C:\Program Files\Parallels\Parallels Tools\cohrence.exe[1120] USER32.dll!UpdateLayeredWindow 7E41F5EB 5 Bytes JMP 100027F0 C:\Program Files\Parallels\Parallels Tools\prlhook.dll (Parallels Helper Hook/Parallels Software International, Inc.)

---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\braviax.exe (*** hidden *** ) 1944

---- EOF - GMER 1.0.14 ----

#5 mark J Chomiczewski

mark J Chomiczewski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2008 - 09:11 AM

OK, I was finally able to get HiJackThis to work. here is log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:01 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Parallels\Parallels Tools\cohrence.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Parallels\Parallels Tools\toolsrv.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\mark\Desktop\Hijac.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [Parallels Tools] C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
O4 - HKLM\..\Run: [SharedInternetApplication] "C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe" /start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [BMe34861d2] Rundll32.exe "C:\WINDOWS\system32\dnajjesp.dll",s
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165553607854
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O17 - HKLM\Software\..\Telephony: DomainName = domainfp.noonanmachine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: nnnomjk - nnnomjk.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Parallels Coherence Service (cohrence) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\cohrence.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Parallels Tools Utility Service (toolsrv) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\toolsrv.exe

--
End of file - 7655 bytes

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 15 March 2008 - 11:03 AM

Hello mark J Chomiczewski

Please Download OTMoveIt by OldTimer: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Save it to your desktop, Please do not run it yet!


Before we can use "HijackThis" You must place this into it's own folder, If we ever need to restore any Item then this folder will safely store all entries and enable us to then use the "Back-up" feature that HijackThis offers, To Create a New Folder on the C: drive,

Open My Computer ( Windows key + E )
then double click on Local Disk (C:)
Once open right click and select New > Folder and Name the folder as you wish (eg: HJT)
Please now move HijackThis.exe into the new folder.

Once moved Open HijackThis again, select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [BMe34861d2] Rundll32.exe "C:\WINDOWS\system32\dnajjesp.dll",s
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: nnnomjk - nnnomjk.dll (file missing)

Close all other open windows and click on Fix checked, then exit HijackThis.


Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\cru629.dat


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
When it finishes, use your mouse to Copy the contents of the right-hand panel. Open a new Notepad document, and paste the results. Save the document with a name and location you will remember later.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please post a new HijackThis log and the OTMoveIt results.

Thank you.

Edited by ourwilly, 15 March 2008 - 11:04 AM.


#7 mark J Chomiczewski

mark J Chomiczewski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2008 - 11:43 AM

First....many thanks for the help!

OK, here are the logs....first the OTMoveIt, then the new HiJackThis log:


File/Folder C:\WINDOWS\system32\braviax.exe not found.
File/Folder C:\WINDOWS\braviax.exe not found.
C:\WINDOWS\system32\cru629.dat moved successfully.
C:\WINDOWS\cru629.dat moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03152008_113718



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:27 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Parallels\Parallels Tools\cohrence.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Parallels\Parallels Tools\toolsrv.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Fix\Hijac.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Parallels Tools] C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
O4 - HKLM\..\Run: [SharedInternetApplication] "C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe" /start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMe34861d2] Rundll32.exe "C:\WINDOWS\system32\dnajjesp.dll",s
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165553607854
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O17 - HKLM\Software\..\Telephony: DomainName = domainfp.noonanmachine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Parallels Coherence Service (cohrence) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\cohrence.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Parallels Tools Utility Service (toolsrv) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\toolsrv.exe

--
End of file - 7156 bytes

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 15 March 2008 - 12:23 PM

Hello mark J Chomiczewski

Please go to: http://virusscan.jotti.org/
At the top select the Browse button then navigate to this File and Submit it to be scanned.
C:\WINDOWS\system32\dnajjesp.dll
any results please Copy & Paste them in your next reply


Open HijackThis again, select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O4 - HKLM\..\Run: [BMe34861d2] Rundll32.exe "C:\WINDOWS\system32\dnajjesp.dll",s

Close all other open windows and click on Fix checked, then exit HijackThis.


Can you please now try downloading a fresh copy of ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
When the tool is finished, it will produce a report for you.


Please post the ComboFix log, a new HijackThis log and the Jotti results

Thank you

#9 mark J Chomiczewski

mark J Chomiczewski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2008 - 01:16 PM

Ok, here are logs in order you've asked for: Combofix, HiJackThis and Jotti. I ran HiJackThis first, then Jotti, then Combofix. I was a little concerned the dll file for Jotti wouldn't be there after performing HiJackThis, but it was. Anyway, here you go:


ComboFix 08-03-14.4 - mark 2008-03-15 13:04:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.694 [GMT -5:00]
Running from: C:\Documents and Settings\mark\Desktop\ComboF.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\BMe34861d2.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\csqvcmxf.dll
C:\WINDOWS\system32\dnajjesp.dll
C:\WINDOWS\system32\fakihhet.dll
C:\WINDOWS\system32\fxmcvqsc.ini
C:\WINDOWS\system32\hihkj.ini
C:\WINDOWS\system32\hihkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\movfgyhb.dll
C:\windows\system32\sys.exe
C:\WINDOWS\system32\winivstr.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-15 11:37 . 2008-03-15 11:37 <DIR> d-------- C:\_OTMoveIt
2008-03-15 11:30 . 2008-03-15 12:55 <DIR> d-------- C:\Fix
2008-03-15 08:44 . 2008-03-14 10:32 <DIR> d-------- C:\SDFix
2008-03-14 15:29 . 2008-03-15 13:08 69 --a------ C:\WINDOWS\pxisys.ini
2008-03-14 15:29 . 2008-03-15 13:08 30 --a------ C:\WINDOWS\pxiesys.ini
2008-03-14 15:21 . 2008-03-14 15:21 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-14 15:20 . 2008-03-14 15:20 <DIR> d-------- C:\Program Files\Test Lab Professional DS-V
2008-03-14 15:17 . 2008-03-14 15:26 109,101 --a------ C:\WINDOWS\system32\niorbmap
2008-03-14 15:15 . 2008-03-14 15:23 <DIR> d-------- C:\Program Files\National Instruments
2008-03-14 13:10 . 2008-03-14 13:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-14 12:46 . 2008-03-14 12:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-14 12:46 . 2008-03-14 12:46 <DIR> d-------- C:\Documents and Settings\mark\Application Data\Malwarebytes
2008-03-14 12:46 . 2008-03-14 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-14 12:45 . 2008-03-14 12:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-14 09:45 . 2008-03-14 09:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-14 09:45 . 2008-03-14 09:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-14 09:45 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-14 09:45 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-14 09:45 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-14 09:45 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-13 23:00 . 2008-03-13 23:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sammsoft
2008-03-13 22:57 . 2008-03-13 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-03-13 22:38 . 2008-03-13 22:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESTsoft
2008-03-13 22:13 . 2008-03-13 22:16 1,978 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-13 16:56 . 2008-03-14 10:38 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-03-13 16:56 . 2008-03-13 16:56 <DIR> d-------- C:\Documents and Settings\mark\Application Data\Sammsoft
2008-03-13 13:08 . 2008-03-13 13:33 <DIR> d-------- C:\Program Files\Google
2008-03-13 10:27 . 2008-03-13 10:28 1,344,310 ---hs---- C:\WINDOWS\system32\ravmiumc.ini
2008-03-12 18:54 . 2001-04-27 14:02 101,200 --a------ C:\WINDOWS\system32\pdfshell.dll
2008-03-12 18:54 . 2001-10-11 16:34 77,824 --a------ C:\WINDOWS\system32\adistres.dll
2008-03-12 18:54 . 2001-03-15 05:18 20,584 --------- C:\WINDOWS\system32\PdfPorts.dll
2008-03-12 18:53 . 2008-03-12 18:53 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-12 18:52 . 2008-03-12 18:52 <DIR> d-------- C:\Documents and Settings\mark\Application Data\InterTrust
2008-03-11 19:18 . 2008-03-15 13:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 19:18 . 2008-03-11 19:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-11 11:33 . 2008-03-11 11:33 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-11 11:05 . 2008-03-15 09:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 11:01 . 2008-03-11 11:01 19,283 --a------ C:\WINDOWS\myjud.db
2008-03-11 11:01 . 2008-03-11 11:01 18,009 --a------ C:\Documents and Settings\All Users\Application Data\cuzomede.sys
2008-03-11 11:01 . 2008-03-11 11:01 17,278 --a------ C:\Program Files\Common Files\ycidatos.sys
2008-03-11 11:01 . 2008-03-11 11:01 16,757 --a------ C:\Documents and Settings\All Users\Application Data\seki.scr
2008-03-11 11:01 . 2008-03-11 11:01 14,864 --a------ C:\Documents and Settings\All Users\Application Data\mehokyhesu.bat
2008-03-11 11:01 . 2008-03-11 11:01 12,907 --a------ C:\Documents and Settings\All Users\Application Data\aqiza.exe
2008-03-11 11:01 . 2008-03-11 11:01 12,029 --a------ C:\WINDOWS\system32\afugaseka.vbs
2008-03-11 11:01 . 2008-03-11 11:01 11,424 --a------ C:\WINDOWS\udinyv.scr
2008-03-11 10:33 . 2008-03-11 10:33 18,472 --a------ C:\Program Files\Common Files\kapiqi.com
2008-03-11 10:33 . 2008-03-11 10:33 18,354 --a------ C:\WINDOWS\system32\yxawikivu._sy
2008-03-11 10:33 . 2008-03-11 10:33 16,606 --a------ C:\Program Files\Common Files\qabeni.dat
2008-03-11 10:33 . 2008-03-11 10:33 16,376 --a------ C:\WINDOWS\system32\oresehiko._sy
2008-03-11 10:33 . 2008-03-11 10:33 15,765 --a------ C:\Documents and Settings\All Users\Application Data\ahivicit.dll
2008-03-11 10:33 . 2008-03-11 10:33 15,754 --a------ C:\Program Files\Common Files\kikata.sys
2008-03-11 10:33 . 2008-03-11 10:33 14,970 --a------ C:\WINDOWS\system32\semepy.exe
2008-03-11 10:33 . 2008-03-11 10:33 14,156 --a------ C:\Documents and Settings\All Users\Application Data\ijano.com
2008-03-11 10:33 . 2008-03-11 10:33 12,984 --a------ C:\Documents and Settings\All Users\Application Data\etor.com
2008-03-11 09:58 . 2008-03-11 09:58 2,368 --a------ C:\WINDOWS\system32\SVKP.sys
2008-03-11 09:10 . 2008-03-11 09:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-04 16:40 . 2008-03-14 21:08 <DIR> d-------- C:\Documents and Settings\mark\Application Data\skypePM
2008-03-04 16:40 . 2008-03-04 16:40 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-04 16:39 . 2008-03-15 13:08 <DIR> d-------- C:\Documents and Settings\mark\Application Data\Skype
2008-03-04 16:38 . 2008-03-04 16:38 <DIR> d-------- C:\Program Files\Skype
2008-03-04 16:38 . 2008-03-04 16:38 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-04 16:38 . 2008-03-04 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-22 17:46 . 2008-02-27 00:16 <DIR> d-------- C:\Program Files\Calculator
2008-02-22 17:46 . 2008-02-22 17:46 249,856 --------- C:\WINDOWS\Setup1.exe
2008-02-22 17:46 . 2008-02-22 17:46 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-02-22 12:38 . 2008-02-22 12:38 <DIR> d-------- C:\Program Files\iPod
2008-02-15 19:19 . 2008-02-15 19:19 <DIR> d-------- C:\Program Files\ESTsoft
2008-02-15 19:19 . 2008-02-15 19:19 <DIR> d-------- C:\Documents and Settings\mark\Application Data\ESTsoft
2008-02-15 11:05 . 2008-02-26 10:31 <DIR> d-------- C:\Documents and Settings\mark\Application Data\Apple Computer
2008-02-15 11:04 . 2008-03-11 11:45 <DIR> d-------- C:\Program Files\iTunes
2008-02-15 11:04 . 2008-02-15 11:04 <DIR> d-------- C:\Program Files\Bonjour
2008-02-15 11:03 . 2008-02-15 11:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-15 11:03 . 2008-03-11 11:45 <DIR> d-------- C:\Program Files\QuickTime
2008-02-15 11:03 . 2008-01-15 03:39 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-15 11:02 . 2008-02-15 11:02 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-15 10:12 . 2008-02-15 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 23:02 --------- d-----w C:\Program Files\4D
2008-03-12 23:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-07 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\4D
2008-02-16 00:16 --------- d-----w C:\Program Files\WinAce
2008-02-15 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-15 15:12 --------- d-----w C:\Program Files\Apple Software Update
2008-02-15 04:33 --------- d-----w C:\Documents and Settings\mark\Application Data\EDrawings
2008-02-15 04:33 --------- d-----w C:\Documents and Settings\mark\Application Data\DassaultSystemes
2008-02-15 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2008-02-14 18:09 --------- d-----w C:\Documents and Settings\mark\Application Data\Parallels
2008-02-14 05:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EDrawings
2008-02-14 05:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DassaultSystemes
2008-02-14 05:52 --------- d-----w C:\Program Files\Common Files\SolidWorks Shared
2008-02-14 05:52 --------- d-----w C:\Program Files\Common Files\eDrawings2008
2008-02-07 23:50 --------- d-----w C:\Documents and Settings\mark\Application Data\4D
2008-02-03 15:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 15:12 --------- d-----w C:\Program Files\Lab.Equipment
2008-02-03 14:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Parallels
2007-08-06 14:52 6,148 ----a-w C:\Program Files\.DS_Store
2003-04-10 15:47 9,303,552 ----a-w C:\Program Files\vpnclient_en.msi
2003-04-10 15:47 778 ----a-w C:\Program Files\vpnclient_en.ini
2003-04-10 15:47 31,744 ----a-w C:\Program Files\vpnclient_en.exe
2003-04-10 15:47 1,822,520 ----a-w C:\Program Files\instmsiw.exe
2003-04-10 15:47 1,708,856 ----a-w C:\Program Files\instmsi.exe
2004-03-15 22:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 15:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 19:40 132,848 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.
Files Infected - Win32.Agent.zb
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-11 11:32 385024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Parallels Tools"="C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe" [2008-03-11 11:32 1064960]
"SharedInternetApplication"="C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe" [2008-03-11 11:32 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-11 11:32 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-11 11:32 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"62515:UDP"= 62515:UDP:Cisco VPN

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2006-10-12 20:37]
R1 PrlNP;PrlNP;C:\WINDOWS\system32\DRIVERS\prlfs.sys [2007-12-03 16:04]
R2 cohrence;Parallels Coherence Service;"C:\Program Files\Parallels\Parallels Tools\cohrence.exe" [2007-12-03 16:00]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 10:00]
R2 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.dll [2005-07-27 08:58]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2006-07-15 19:47]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2006-07-13 12:04]
R2 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfk.dll [2006-07-20 00:19]
R2 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrk.dll [2006-07-20 18:50]
R2 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslk.dll [2006-07-16 03:16]
R2 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpk.dll [2006-07-16 00:55]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2006-07-18 09:34]
R2 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdk.dll [2006-08-23 11:29]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2006-07-25 17:36]
R2 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrk.dll [2006-07-20 18:50]
R2 prl_paravirt_32;Parallels Paravirtualization Driver;C:\WINDOWS\system32\drivers\prl_paravirt_32.sys [2007-12-03 16:03]
R2 PrlTime;Parallels Time Synchronization Driver;C:\WINDOWS\system32\drivers\PrlTime.sys [2007-12-03 16:04]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2008-03-11 09:58]
R2 toolsrv;Parallels Tools Utility Service;C:\Program Files\Parallels\Parallels Tools\toolsrv.exe [2007-12-03 16:00]
R2 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.dll [2006-07-16 02:22]
R3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrk.dll [2006-07-16 00:50]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgk.dll [2006-07-13 11:34]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2k.dll [2006-07-13 12:58]
R3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrk.dll [2006-07-16 00:05]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstsk.dll [2006-07-16 00:07]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfk.dll [2006-07-13 12:30]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2006-07-13 11:22]
R3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdk.dll [2006-07-16 00:42]
R3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigk.dll [2006-07-16 02:22]
R3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiork.dll [2006-07-16 00:57]
R3 PCITG;PCITG;C:\WINDOWS\system32\drivers\pcitg.sys [2007-12-03 16:04]
R3 prleth;Parallels Network Adapter;C:\WINDOWS\system32\DRIVERS\prleth.sys [2007-12-03 16:03]
R3 PrlMouse;Parallels Mouse Synchronization Tool;C:\WINDOWS\system32\DRIVERS\PrlMouse.sys [2007-12-03 16:04]
R3 PrlVideo;PrlVideo;C:\WINDOWS\system32\DRIVERS\PrlVideo.sys [2007-12-03 16:04]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-09 17:29]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsark.dll [2006-07-20 18:39]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrk.dll [2006-07-20 18:50]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2006-06-05 18:03]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2006-06-05 18:03]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftk.dll [2006-07-16 00:39]
S3 nismbusk;nismbusk;C:\WINDOWS\system32\drivers\nismbusk.sys [2006-07-18 09:51]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdk.dll [2006-07-16 00:42]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrk.dll [2006-07-20 18:50]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2k.dll [2006-06-06 00:21]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrk.dll [2006-07-16 00:57]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrk.dll [2006-07-20 18:50]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 08:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{337cd0b1-d89e-11db-94e8-00f7cb1330c7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCIER/system.exe

*Newly Created Service* - NIPALK
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 15:12:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 13:08:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\System32\prlnp.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-03-15 13:10:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 18:09:57
.
2008-03-12 13:49:21 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:12 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Parallels\Parallels Tools\cohrence.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Parallels\Parallels Tools\toolsrv.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Fix\Hijac.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Parallels Tools] C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
O4 - HKLM\..\Run: [SharedInternetApplication] "C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe" /start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMe34861d2] Rundll32.exe "C:\WINDOWS\system32\dnajjesp.dll",s
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165553607854
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O17 - HKLM\Software\..\Telephony: DomainName = domainfp.noonanmachine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Parallels Coherence Service (cohrence) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\cohrence.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Parallels Tools Utility Service (toolsrv) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\toolsrv.exe

--
End of file - 7205 bytes




File: dnajjesp.dll
Status: INFECTED/MALWARE
MD5: ac3d815fc55c4a126b4e1a4a31fcf937
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 15 Mar 2008 17:46:14 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found AdWare.W32.Virtumonde.gen
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.gen
NOD32 Found nothing
Norman Virus Control Found W32/Virtumonde.NJO
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found Adware.Vundo.Gen!Pac.18
VBA32 Found nothing

#10 mark J Chomiczewski

mark J Chomiczewski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2008 - 04:01 PM

Hi,

I may have jumped ahead of myself. I hoped that everything was fixed, but I don't think so. I ran a PC Tools scan and it found some bugs, and fixed them. Here is the last HiJackThis log. I hope I didn't make things worse. It looks as if the Winreanimator is gone, but something is still running in background, computer runs slow, and hard disk keeps spinning.....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:56, on 2008-03-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Parallels\Parallels Tools\cohrence.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Parallels\Parallels Tools\toolsrv.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\userinit.exe
C:\Fix\Hijac.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Parallels Tools] C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
O4 - HKLM\..\Run: [SharedInternetApplication] "C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe" /start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165553607854
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O17 - HKLM\Software\..\Telephony: DomainName = domainfp.noonanmachine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domainfp.noonanmachine.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Parallels Coherence Service (cohrence) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\cohrence.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Parallels Tools Utility Service (toolsrv) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\toolsrv.exe

--
End of file - 7400 bytes

#11 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 15 March 2008 - 05:37 PM

Hello mark J Chomiczewski

Please reboot your computer and enter Safe Mode (tap the F8 key just before Windows starts to load, then select Safe Mode).

Then please try running SDFix.exe........

once this has finished Reboot back into Normal mode

please now use Internet Explorer and run this online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system, This will take a while so be patient and let it run.

When the scan has completed, click Save Report As a Text File.
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste that information in your next post along with the SDFix report

Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users