Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Believe This Is Virtuamonde


  • This topic is locked This topic is locked
8 replies to this topic

#1 dazy

dazy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 19 March 2008 - 01:22 AM

It started with an infection that NOD alerted me to, and was attempting to quarantine.
LOG:
3/17/2008 7:29:10 PM Real-time file system protection file C:\WINDOWS\system32\geede.dll Win32/Adware.Virtumonde application cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\lsass.exe.
Only it didn't. It was unable to. This alert went on for about an hour...
3/17/2008 8:28:20 PM Real-time file system protection file C:\WINDOWS\system32\geede.dll Win32/Adware.Virtumonde application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\lsass.exe.
I had been browsing at the time, and effects were Very slow browser (FF), and all ads on pages being replaced with an ad that claimed "my privacy data was at risk, click to scan". Bright shiny red and very serious looking, like they really meant it.
I turned my NIC off and started the cleaning process. I was battling NOD and attempted deletes of the file, and restarts, etc. No luck. NOD kept "finding and alerting" and attempting to quarantine. I was unable to delete manually, until i used a process unlocker to get at it. I was able to delete it, and the alerts stopped.
I did a manual scan, then deleted the object manually, deleted restore points, temp files, browser temps and cache.
Finally got a good scan, and clean out of NOD.

C:\WINDOWS\system32\geede.dll - Win32/Adware.Virtumonde application - cleaned by deleting (after the next restart) - quarantined [1,2]
Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.
Scan Log
Version of virus signature database: 2954 (20080318)
Date: 3/17/2008 Time: 7:38:48 PM
Scanned disks, folders and files: C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.dll - Win32/Adware.Virtumonde application
Number of scanned objects: 1
Number of threats found: 1
Time of completion: 7:38:48 PM Total scanning time: 0 sec (00:00:00)

At this point, NOD, AdAware, SBSaD were able to run clean scans after rebooting twice. In fact NOD still does not find anything to this minute. But I am still getting the effects in my browser. I would clear any temp files and cache, history, my re-enable my NIC, open FF again. Nothing seems (as far as I can tell) to happen until I login to google, then FF gets very slow again, and the ads return, and when I run AdAware/SBSaD I get alerts to Virtumonde again.
Repeat.

Stinger found nothing.

Scan initiated on Tue Mar 18 22:34:16 2008

Number of clean files: 386488

So now I would like to post my hijackthis logfile and my startuplist.txt
If this post is answerable by direction to another, please point me in the right direction.
Questions will be answered as promptly as possible.
I am in no way new to computers, just new to mucking through the registry. I take direction well.
And of course very willing to learn what it takes to be able to deal with this now and in the future.


LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:06 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {2188F625-3CF1-4693-9E83-858E83067883} - (no file)
O2 - BHO: (no name) - {2A1DD850-466C-43BA-8FDC-115229197A63} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8C0C9F2A-F26E-4663-BAAB-BDDA07466EA1} - C:\WINDOWS\system32\mlljj.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D63F7945-2CD4-48F9-9EE9-A9CDB2A18E16} - (no file)
O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - C:\WINDOWS\system32\jkkklmk.dll
O2 - BHO: {4ed49ee8-83ae-e5d9-9ca4-b7b74580a26f} - {f62a0854-7b7b-4ac9-9d5e-ea388ee94de4} - C:\WINDOWS\system32\jiavefjv.dll
O2 - BHO: (no name) - {FDA3A980-D75D-4FC8-9248-CAA3B7D6D0C8} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AODAssist.exe] C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM4f97f443] Rundll32.exe "C:\WINDOWS\system32\fhnbbkcp.dll",s
O4 - HKLM\..\Run: [4ca4c7df] rundll32.exe "C:\WINDOWS\system32\mxvotpin.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA5770] command /c del "C:\WINDOWS\system32\mlljj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC407] cmd /c del "C:\WINDOWS\system32\mlljj.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3126] command /c del "C:\WINDOWS\system32\mlljj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1840] cmd /c del "C:\WINDOWS\system32\mlljj.dll_old"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jkkklmk - C:\WINDOWS\SYSTEM32\jkkklmk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 10039 bytes

END LOG
my startuplist.txt
LOG:

StartupList report, 3/18/2008, 11:18:15 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\dazed\My Documents\SpyWareFixs\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.20733)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\dazed\My Documents\SpyWareFixs\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\dazed\Start Menu\Programs\Startup]
OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE
CTxfiHlp = CTXFIHLP.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
DiskeeperSystray = "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
GrooveMonitor = "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
Adobe Photo Downloader = "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
Acrobat Assistant 8.0 = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
(Default) =
Adobe_ID0EYTHM = C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
amd_dc_opt = C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
StartCCC = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
AODAssist.exe = C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
egui = "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
BM4f97f443 = Rundll32.exe "C:\WINDOWS\system32\fhnbbkcp.dll",s
4ca4c7df = rundll32.exe "C:\WINDOWS\system32\mxvotpin.dll",b

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SpybotDeletingA5770 = command /c del "C:\WINDOWS\system32\mlljj.dll_old"
SpybotDeletingC407 = cmd /c del "C:\WINDOWS\system32\mlljj.dll_old"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
DAEMON Tools Pro Agent = "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

SpybotDeletingB3126 = command /c del "C:\WINDOWS\system32\mlljj.dll_old"
SpybotDeletingD1840 = cmd /c del "C:\WINDOWS\system32\mlljj.dll_old"

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll - {074C1DC5-9320-4A9A-947D-C042949C6216}
(no name) - (no file) - {2188F625-3CF1-4693-9E83-858E83067883}
(no name) - (no file) - {2A1DD850-466C-43BA-8FDC-115229197A63}
(no name) - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\mlljj.dll (file missing) - {8C0C9F2A-F26E-4663-BAAB-BDDA07466EA1}
(no name) - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - (no file) - {D63F7945-2CD4-48F9-9EE9-A9CDB2A18E16}
(no name) - C:\WINDOWS\system32\jkkklmk.dll - {E9383002-FC55-4330-B9C9-67E03BC5C840}
{4ed49ee8-83ae-e5d9-9ca4-b7b74580a26f} - C:\WINDOWS\system32\jiavefjv.dll - {f62a0854-7b7b-4ac9-9d5e-ea388ee94de4}
(no name) - (no file) - {FDA3A980-D75D-4FC8-9248-CAA3B7D6D0C8}

--------------------------------------------------

Enumerating Download Program Files:

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\PROGRA~1\Creative\SHARED~1\SOFTWA~1\CTPID.ocx
CODEBASE = http://www.creative.com/softwareupdate/su2...15035/CTPID.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\system32\webcheck.dll
WPDShServiceObj: C:\WINDOWS\system32\wpdshserviceobj.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 7,931 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
thanks again for any response.

Attached Files


Edited by dazy, 19 March 2008 - 09:57 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 PM

Posted 19 March 2008 - 02:58 PM

Hello dazy,

Welcome to Bleeping Computer :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {2188F625-3CF1-4693-9E83-858E83067883} - (no file)
O2 - BHO: (no name) - {2A1DD850-466C-43BA-8FDC-115229197A63} - (no file)
O2 - BHO: (no name) - {8C0C9F2A-F26E-4663-BAAB-BDDA07466EA1} - C:\WINDOWS\system32\mlljj.dll (file missing)
O2 - BHO: (no name) - {D63F7945-2CD4-48F9-9EE9-A9CDB2A18E16} - (no file)
O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - C:\WINDOWS\system32\jkkklmk.dll
O2 - BHO: {4ed49ee8-83ae-e5d9-9ca4-b7b74580a26f} - {f62a0854-7b7b-4ac9-9d5e-ea388ee94de4} - C:\WINDOWS\system32\jiavefjv.dll
O2 - BHO: (no name) - {FDA3A980-D75D-4FC8-9248-CAA3B7D6D0C8} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BM4f97f443] Rundll32.exe "C:\WINDOWS\system32\fhnbbkcp.dll",s
O4 - HKLM\..\Run: [4ca4c7df] rundll32.exe "C:\WINDOWS\system32\mxvotpin.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA5770] command /c del "C:\WINDOWS\system32\mlljj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC407] cmd /c del "C:\WINDOWS\system32\mlljj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3126] command /c del "C:\WINDOWS\system32\mlljj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1840] cmd /c del "C:\WINDOWS\system32\mlljj.dll_old"
O20 - Winlogon Notify: jkkklmk - C:\WINDOWS\SYSTEM32\jkkklmk.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 dazy

dazy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 19 March 2008 - 11:53 PM

Thanks for the help and welcome. Tea, if this works, I will proclaim you a deity.

Have not opened a browser 'sides this window to check current effectiveness yet.

the required logs:


ComboFix 08-03-18.1 - dazed 2008-03-19 21:39:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2787 [GMT -7:00]
Running from: C:\Documents and Settings\dazed\Desktop\SpyWareFixs\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM4f97f443.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\eexpgrpy.dll
C:\WINDOWS\system32\favuqbuu.ini
C:\WINDOWS\system32\fhnbbkcp.dll
C:\WINDOWS\system32\jiavefjv.dll
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\jkkklmk.dll
C:\WINDOWS\system32\mxvotpin.dll
C:\WINDOWS\system32\niptovxm.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\ralywebl.dll
C:\WINDOWS\system32\rpfxtkli.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\uubquvaf.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-18 20:52 . 2008-03-18 20:52 <DIR> d-------- C:\Program Files\InterMute
2008-03-18 20:50 . 2008-03-18 20:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 20:23 . 2008-03-17 20:23 <DIR> d-------- C:\Program Files\Unlocker
2008-03-17 19:27 . 2008-03-17 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-17 13:42 . 2008-03-17 13:42 <DIR> d-------- C:\Program Files\2K Games
2008-03-17 11:10 . 2008-03-17 11:10 <DIR> d-------- C:\Program Files\Briggs Softworks
2008-03-17 10:36 . 2008-03-17 10:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-17 10:36 . 2008-03-17 10:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-16 20:22 . 2008-03-16 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-16 20:04 . 2008-03-17 22:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-16 20:04 . 2008-03-17 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:55 . 2008-03-16 16:55 63 --a------ C:\WINDOWS\system32\4ca4d551
2008-03-16 11:13 . 2008-03-16 11:13 <DIR> d-------- C:\Documents and Settings\dazed\Application Data\ExportTool
2008-03-16 10:59 . 2008-03-16 11:25 <DIR> d-------- C:\Program Files\Samurize
2008-03-10 21:10 . 2008-03-10 21:10 <DIR> d-------- C:\Program Files\OpenAL
2008-03-10 21:07 . 2008-03-10 21:07 <DIR> d-------- C:\Program Files\Paradox Interactive
2008-03-10 13:00 . 2008-03-19 21:41 64,900 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000006-00001102-00000005-00311102}.rfx
2008-03-10 13:00 . 2008-03-19 21:41 53,372 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000005-00000000-00000006-00001102-00000005-00311102}.rfx
2008-03-10 13:00 . 2008-03-19 21:41 53,372 --a------ C:\WINDOWS\system32\BMXState-{00000005-00000000-00000006-00001102-00000005-00311102}.rfx
2008-03-10 13:00 . 2008-03-19 21:41 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-03-10 13:00 . 2008-03-19 21:41 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Documents and Settings\dazed\Content
2008-03-10 12:41 . 2008-03-10 12:41 <DIR> d-------- C:\Documents and Settings\dazed\Builds
2008-03-10 03:21 . 2008-03-10 03:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-09 13:19 . 2008-03-09 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-03-09 13:15 . 2008-03-09 13:17 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-09 13:15 . 2008-02-25 21:05 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-03-09 12:54 . 2008-03-09 12:54 <DIR> d-------- C:\Program Files\VSO
2008-03-09 12:54 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-03-09 12:54 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-03-09 12:54 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-03-09 12:54 . 2008-03-09 12:54 87,608 --a------ C:\Documents and Settings\dazed\Application Data\inst.exe
2008-03-09 10:42 . 2008-03-09 10:42 <DIR> d-------- C:\Program Files\uTorrent
2008-03-09 10:42 . 2008-03-17 16:36 <DIR> d-------- C:\Documents and Settings\dazed\Application Data\uTorrent
2008-03-08 20:20 . 2006-11-01 15:42 33,280 --a------ C:\WINDOWS\system32\drivers\AmdLLD.sys
2008-03-08 09:33 . 2008-03-08 09:33 <DIR> dr-h----- C:\Documents and Settings\dazed\Application Data\SecuROM
2008-03-08 09:33 . 2008-03-17 17:30 <DIR> d-------- C:\Documents and Settings\dazed\Application Data\Bioshock
2008-03-07 21:49 . 2008-03-07 21:50 <DIR> d-------- C:\Program Files\The FilmMachine
2008-03-07 21:49 . 2008-03-07 21:50 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-03-07 21:49 . 2003-06-19 15:46 491,520 --a------ C:\WINDOWS\system32\lkVCDimager.dll
2008-03-07 21:47 . 2008-03-10 03:58 <DIR> d-------- C:\Documents and Settings\dazed\Application Data\Vso
2008-03-07 21:47 . 2008-03-09 12:54 87,608 --a------ C:\Documents and Settings\dazed\Application Data\ezpinst.exe
2008-03-07 21:47 . 2008-03-09 12:54 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-07 21:47 . 2008-03-09 12:54 47,360 --a------ C:\Documents and Settings\dazed\Application Data\pcouffin.sys
2008-03-07 21:39 . 2008-03-07 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-03-03 22:43 . 2008-03-03 22:43 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-03 22:43 . 2008-03-03 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-03 22:43 . 2008-03-03 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-03 12:03 . 2008-03-03 12:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-03 12:03 . 2006-10-30 05:13 2,182,016 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-03-03 12:03 . 2006-10-30 05:11 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-03-03 12:03 . 2006-10-30 04:27 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-03-03 11:55 . 2008-03-03 13:45 <DIR> d-------- C:\Program Files\THQ
2008-03-02 21:56 . 2007-09-07 15:55 12,744 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2008-03-02 21:56 . 2007-09-07 15:55 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd
2008-03-02 21:06 . 2008-03-02 21:56 <DIR> d-------- C:\Program Files\Futuremark
2008-03-02 21:06 . 2001-11-19 21:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-03-02 20:50 . 2008-03-02 20:50 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-03-02 20:50 . 2008-03-02 20:50 <DIR> d-------- C:\Program Files\Common Files\Futuremark Shared
2008-03-02 20:50 . 2007-08-20 11:05 27,672 -ra------ C:\WINDOWS\system32\drivers\Entech.sys
2008-03-02 20:48 . 2008-03-02 20:48 <DIR> d-------- C:\WINDOWS\Sun
2008-03-02 20:48 . 2008-03-02 20:48 <DIR> d-------- C:\Program Files\Java
2008-03-02 20:48 . 2007-09-25 00:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 20:47 . 2008-03-02 20:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 17:50 . 2008-03-02 17:50 319 --a------ C:\WINDOWS\game.ini
2008-03-02 17:47 . 2008-03-02 17:47 <DIR> d-------- C:\Program Files\Activision
2008-03-02 17:45 . 2008-03-02 17:45 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-02 17:15 . 2008-03-10 12:51 152 --a------ C:\WINDOWS\CoolPlay.ini
2008-03-02 15:30 . 2008-03-02 15:30 <DIR> d-------- C:\Program Files\Trendnet
2008-03-02 14:18 . 2008-03-02 14:18 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-02 13:15 . 2007-10-12 16:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-03-02 13:15 . 2007-10-02 10:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-03-02 10:42 . 2008-03-02 10:42 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-03-02 10:42 . 2008-03-16 20:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 10:42 . 2008-03-03 12:04 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-03-02 10:35 . 2008-03-08 22:12 <DIR> d-------- C:\Program Files\UBISOFT
2008-03-02 09:32 . 2007-03-12 17:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-03-02 09:32 . 2007-03-15 17:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-03-02 09:30 . 2008-03-03 22:10 <DIR> d-------- C:\Program Files\Sierra Entertainment
2008-03-02 09:29 . 2008-03-02 09:29 <DIR> d-------- C:\Documents and Settings\dazed\Application Data\InstallShield
2008-03-02 09:16 . 2008-03-02 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-02 08:42 . 2008-03-02 08:42 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-03-02 08:40 . 2008-03-02 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-03-02 08:38 . 2008-03-02 08:38 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2008-03-02 08:31 . 2008-03-03 22:43 <DIR> d-------- C:\Program Files\QuickTime
2008-03-02 08:17 . 2007-02-20 17:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-03-02 08:17 . 2007-02-20 17:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-03-02 08:13 . 2008-03-02 08:13 <DIR> d-------- C:\Program Files\Bonjour
2008-03-02 08:10 . 2008-03-02 08:10 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-02 08:08 . 2008-03-02 08:43 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-02 00:16 . 2007-12-04 03:08 118,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-03-02 00:11 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-03-02 00:10 . 2008-03-02 00:10 <DIR> d-------- C:\Program Files\MSBuild
2008-03-02 00:10 . 2008-03-02 00:10 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-02 00:09 . 2008-03-02 00:09 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-02 00:08 . 2008-03-02 00:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-03-02 00:07 . 2008-03-02 00:09 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-02 00:07 . 2008-03-02 00:07 <DIR> dr-h----- C:\MSOCache
2008-03-02 00:07 . 2008-03-02 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-01 23:41 . 2007-07-19 19:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 02:27 --------- d-----w C:\Program Files\ESET
2008-03-17 20:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-17 03:22 --------- d-----w C:\Program Files\Lavasoft
2008-03-11 04:10 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-11 04:10 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-04 04:47 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-03-02 14:43 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-02 14:34 --------- d-----w C:\Documents and Settings\dazed\Application Data\TMP
2008-03-02 14:19 --------- d-----w C:\Program Files\DIFX
2008-03-02 14:06 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-02 14:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-02 05:44 --------- d-----w C:\Documents and Settings\dazed\Application Data\Media Player Classic
2008-03-02 05:40 --------- d-----w C:\Documents and Settings\dazed\Application Data\DAEMON Tools Pro
2008-03-02 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-03-02 05:37 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-02 05:30 --------- d-----w C:\Documents and Settings\dazed\Application Data\Lavasoft
2008-03-02 05:27 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-02 05:27 --------- d-----w C:\Program Files\Alcohol Soft
2008-03-02 05:26 --------- d-----w C:\Program Files\Winamp
2008-03-02 05:26 --------- d-----w C:\Program Files\SlySoft
2008-03-02 05:26 --------- d-----w C:\Program Files\Lavasoft RegHance
2008-03-02 05:26 --------- d-----w C:\Program Files\Elaborate Bytes
2008-03-02 05:24 --------- d---a-w C:\Program Files\(cpuz)
2008-03-02 05:24 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-03-02 03:22 --------- d-----w C:\Program Files\ASUS
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-25 06:03 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
2008-02-25 06:03 8,231,936 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-02-25 06:03 603,648 ----a-w C:\WINDOWS\system32\wmspdmod.dll
2008-02-25 06:03 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
2008-02-25 06:03 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
2008-02-25 06:03 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
2008-02-25 06:03 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
2008-02-25 06:03 1,329,152 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
2008-01-17 17:59 713,216 ----a-w C:\WINDOWS\system32\sxs.dll
2007-12-31 11:56 297,984 ----a-w C:\WINDOWS\system32\MSCTF.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C0C9F2A-F26E-4663-BAAB-BDDA07466EA1}]
C:\WINDOWS\system32\mlljj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 06:08 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 13:38 163840]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 03:07 61440]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 23:14 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 17:49 77824]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"AODAssist.exe"="C:\Program Files\AMD\AMD OverDrive\AODAssist.exe" [2007-12-19 17:59 53248]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [ ]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]

C:\Documents and Settings\dazed\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkklmk]
jkkklmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
S0 mv61xx;mv61xx;C:\WINDOWS\system32\drivers\mv61xx.sys []
S3 AR2425;AzureWave AR5006 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\aw5006.sys [2006-12-18 12:30]
S3 ASUDriver;ASUDriver;C:\Program Files\AMD\AMD OverDrive\i386\AODDriver.sys [2007-12-19 16:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 21:43:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-03-19 21:43:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 04:43:56


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:00 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8C0C9F2A-F26E-4663-BAAB-BDDA07466EA1} - C:\WINDOWS\system32\mlljj.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AODAssist.exe] C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jkkklmk - jkkklmk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 8651 bytes


Thanks again!

(Not that its my place to have an opinion, but I seem to notice differences in the logs. Somethings that were there in the first log that you had me run the "fix" on are gone, and others that you suggested I look for that were not there before have appeared. Interesting.)

Edited by dazy, 20 March 2008 - 01:28 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 PM

Posted 21 March 2008 - 12:07 PM

Hello dazy,

You're most welcome. :thumbsup: That looks TONS better....how is it running after a couple of days now? Just a couple of leftovers showing in HijackThis:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {8C0C9F2A-F26E-4663-BAAB-BDDA07466EA1} - C:\WINDOWS\system32\mlljj.dll (file missing)
O20 - Winlogon Notify: jkkklmk - jkkklmk.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Let me know so we can add some speed and finish up. :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 dazy

dazy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 21 March 2008 - 03:20 PM

Seems we have alternating schedules, at work at the moment. :-)
To be honest, I have several 'puters running, and out of fear that something was going to re-download and install itself again from leftover reg entries before I had it totally clean, I have not even browsed on that 'puter since we started. Taking all instruction very literally. (exception: I have one window open, to this page, and thats as far as I have gone.) Thank god I have multi boxes, or I would be paralyzed.
If you think it's safe to give it a test, and will not set me (us) backwards, I will give browsing a try when I get home. Regardless, I will do these fixes, post new logs, verify we are squeekyclean.
Thanks again, Tea.
Yoo pwn and rulez teh intarnetz!!!111!! (kidding) ;-)

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 PM

Posted 21 March 2008 - 04:51 PM

Supz??? :blink:

Give it a go....you should be all right after the fixes. If you want to go a step further right now, put a firewall on that puppy too. I use Comodo, but there are several you can try if you don't like it. http://comodo.com

Be sure and post the logs when you get done. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 dazy

dazy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 21 March 2008 - 10:19 PM

holy crap. you did it. un-fu*kin-believable.
clean as far as I can see. none of those ads, and browser is responsive again. amazing.
i should never have doubted you, Tea. let me run a log here for confirmation...BRB.

***time elapses***
OK, looks clean, after several FF restarts. Heres the log.
(more @ the bottom...)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:35 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AODAssist.exe] C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 8382 bytes
from what *I* can see of the log (being a complete newbie at this), it seems to have no entries I would see as suspicious, everything would seem to be (thats the catch right?) something I would say was relevant to my current software, and related services. And, no symptoms. No ads. Browser is responsive, not sluggish.
Let me know if there is anything more I should do on this front.

As for the firewall, I have used many (was a Sygate fan for years), and run a hardware one from my router, and have just neglected the idea as of late. The UAC-like behavior (of the really uptight ones like Tiny) started to turn me off, so have just been avoiding the idea. But perhaps is something I should consider again. Maybe I have learned a lesson.
I am DLing the Comodo one right now, will give it a try. Thanks for the suggestion.

As for what you have done for me, the process, the why and how, I was wondering if you could point me in the direction of some good reading? What these tools actually do, and why they are necessary? How to read, what to look for in the logs? I am not saying I would expect to reach your heights of understanding anytime soon, but the whole process was interesting, I found. Just a coupla links will do. I would love to be able to take care of "minor thing" myself, and only have to return here if its "new and exciting". And beyond me, like this was.

So, is there more? Whats next? I dont want to take up more than my alloted time, I can see there are LOTS of people on this and other boards with similar probs...

Edited by dazy, 21 March 2008 - 10:45 PM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 PM

Posted 22 March 2008 - 12:25 AM

Hey dazy,

Your alloted time? Your alloted time is as much time as it takes to make sure your system is as safe as we can make it. :wacko: Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Your log is indeed clean! How about a little extra speed at startup now :

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot a time or two and see if it's a bit faster. :blink:

Good that you have a hardware firewall. :thumbsup: Let me know how you like Comodo.

Check out the rest of the Bleeping Computer site. There are some awesome tutorials on removal and tools. For a deeper understanding of what I and the others do, and if you have the time to learn it, you might consider joining the classes here. It doesn't cost money, but it does require a lot of time, reading and research to graduate.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 PM

Posted 31 March 2008 - 03:38 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users