Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Popups Occur When In Firefox


  • This topic is locked This topic is locked
6 replies to this topic

#1 weargle

weargle

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 10 April 2008 - 02:13 PM

Thank you for taking the time to look at this.

I updated AVG, scanned and found nothing. I also updated Ad-Aware 2007, ran a deep scan and found nothing. I am running Firefox 2.0.0.13 and have popups disabled. About every five minutes, a different Internet Explorer 7 popup occurs from random PC security sites, gamezhero.com and so forth. I removed a sketchy unnamed program from startup in msconfig and also Trend so that there is no competition with AVG.

After searching the internet for possible solutions, I found Hijack This and ran a scan as well as Deckard's scan. I have noted them below. Thanks again for any assistance.


Deckard's System Scanner v20071014.68
Run by Townsend on 2008-04-10 15:03:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
94: 2008-04-10 19:03:31 UTC - RP795 - Deckard's System Scanner Restore Point
93: 2008-04-10 13:30:08 UTC - RP794 - Software Distribution Service 3.0
92: 2008-04-10 08:56:10 UTC - RP793 - System Checkpoint
91: 2008-04-09 07:56:29 UTC - RP792 - System Checkpoint
90: 2008-04-08 06:56:14 UTC - RP791 - System Checkpoint


-- First Restore Point --
1: 2008-01-12 07:31:43 UTC - RP702 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Townsend.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:26 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\cygwin\bin\cygrunsrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\TEMP\QC9BD3.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Documents and Settings\Townsend\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Townsend.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {035B91BC-41D5-49BE-8B71-9E90F8F818AD} - C:\WINDOWS\system32\gebyy.dll (file missing)
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\fccyxyv.dll (file missing)
O2 - BHO: (no name) - {4CB920D0-6EEA-482B-818F-29D4C95A78D8} - C:\WINDOWS\system32\sstqp.dll
O2 - BHO: {7b0ccc1a-e938-15a9-0f14-9f1a9ff696f4} - {4f696ff9-a1f9-41f0-9a51-839ea1ccc0b7} - C:\WINDOWS\system32\nyxmeowm.dll (file missing)
O2 - BHO: (no name) - {7c542914-2a6e-4bd3-a000-1040e68f2026} - C:\WINDOWS\system32\ccpjnyu.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://trudy/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093306315152
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185897766484
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chimerix-inc.com
O17 - HKLM\Software\..\Telephony: DomainName = chimerix-inc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chimerix-inc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chimerix-inc.com
O20 - Winlogon Notify: fccyxyv - fccyxyv.dll (file missing)
O20 - Winlogon Notify: wvuuuvt - wvuuuvt.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8847 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 core - c:\windows\system32\drivers\core.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 TM_CFW (Common Firewall Driver) - c:\program files\trend micro\officescan client\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 Ser2pl (ATEN USB to Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Canon NetSpot Suite Service - c:\program files\canon\vdc\auvdc.exe <Not Verified; CANON INC.; NetSpot Suite>
R2 ntrtscan (Trend Micro Client/Server Security Agent RealTime Scan) - c:\program files\trend micro\officescan client\ntrtscan.exe <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 OfcPfwSvc (Trend Micro Client/Server Security Agent Personal Firewall) - c:\program files\trend micro\officescan client\ofcpfwsvc.exe <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 sshd (CYGWIN sshd) - c:\cygwin\bin\cygrunsrv.exe
R2 tmlisten (Trend Micro Client/Server Security Agent Listener) - c:\program files\trend micro\officescan client\tmlisten.exe <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 14:45:51 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2004-05-16 02:45:00 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-03-10 and 2008-04-10 -----------------------------

2008-04-07 10:06:29 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-05 06:04:09 87104 --a------ C:\WINDOWS\system32\ttmpulgx.dll
2008-04-03 06:03:13 88640 --a------ C:\WINDOWS\system32\vnokhfgc.dll
2008-04-02 06:01:48 88128 --a------ C:\WINDOWS\system32\wabnckse.dll
2008-04-02 06:00:47 268363 --ahs---- C:\WINDOWS\system32\yybeg.ini2
2008-04-02 05:00:37 268288 --a------ C:\WINDOWS\system32\ssqpo.dll
2008-04-02 04:00:36 268288 --a------ C:\WINDOWS\system32\pmnnm.dll
2008-04-02 03:00:35 268288 --a------ C:\WINDOWS\system32\jkkli.dll
2008-04-02 02:00:34 268288 --a------ C:\WINDOWS\system32\mlljk.dll
2008-04-02 01:00:32 268288 --a------ C:\WINDOWS\system32\sstqp.dll
2008-04-01 23:00:32 268288 --a------ C:\WINDOWS\system32\pmnlm.dll
2008-04-01 22:00:29 268288 --a------ C:\WINDOWS\system32\jkkji.dll
2008-04-01 21:00:29 268288 --a------ C:\WINDOWS\system32\ddayv.dll
2008-04-01 20:00:34 268288 --a------ C:\WINDOWS\system32\ddaby.dll
2008-04-01 19:00:26 268288 --a------ C:\WINDOWS\system32\vtsqp.dll
2008-04-01 18:00:25 268288 --a------ C:\WINDOWS\system32\pmnnk.dll
2008-04-01 17:00:24 268288 --a------ C:\WINDOWS\system32\mllmn.dll
2008-04-01 16:00:24 268288 --a------ C:\WINDOWS\system32\pmnll.dll
2008-04-01 15:00:23 268288 --a------ C:\WINDOWS\system32\mljgf.dll
2008-04-01 14:00:22 268288 --a------ C:\WINDOWS\system32\vturp.dll
2008-04-01 13:00:23 268288 --a------ C:\WINDOWS\system32\awvtq.dll
2008-04-01 12:27:00 0 dr-h----- C:\Documents and Settings\Townsend\Recent
2008-04-01 12:00:19 268288 --a------ C:\WINDOWS\system32\jkhfg.dll
2008-04-01 11:00:22 268288 --a------ C:\WINDOWS\system32\geedd.dll
2008-04-01 10:00:19 268288 --a------ C:\WINDOWS\system32\awtsr.dll
2008-04-01 09:00:16 268288 --a------ C:\WINDOWS\system32\vturs.dll
2008-04-01 08:00:16 268288 --a------ C:\WINDOWS\system32\vtsqr.dll
2008-04-01 07:00:23 268288 --a------ C:\WINDOWS\system32\vtstq.dll
2008-03-31 18:42:54 268288 --a------ C:\WINDOWS\system32\awvts.dll
2008-03-31 17:42:52 268288 --a------ C:\WINDOWS\system32\awtqn.dll
2008-03-31 16:42:52 268288 --a------ C:\WINDOWS\system32\jkhfc.dll
2008-03-31 15:42:51 268288 --a------ C:\WINDOWS\system32\sstqq.dll
2008-03-31 14:42:50 268288 --a------ C:\WINDOWS\system32\vturr.dll
2008-03-31 13:42:48 268288 --a------ C:\WINDOWS\system32\awvtr.dll
2008-03-31 12:42:49 268288 --a------ C:\WINDOWS\system32\ssttr.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-10 14:55:41 0 d-------- C:\Program Files\Trend Micro
2008-04-07 10:06:29 0 d-------- C:\Program Files\Common Files
2008-04-07 10:06:12 0 d-------- C:\Program Files\Common Files\Real
2008-04-04 12:43:22 0 d-------- C:\Documents and Settings\Townsend\Application Data\AdobeUM
2008-03-25 12:50:15 0 d-------- C:\Documents and Settings\Townsend\Application Data\Real
2008-03-24 09:16:40 0 d-------- C:\Documents and Settings\Townsend\Application Data\Adobe
2008-02-20 10:29:28 0 d-------- C:\Program Files\Lavasoft
2008-02-20 10:28:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 15:53:16 0 d-------- C:\Documents and Settings\Townsend\Application Data\U3
2008-02-12 07:56:13 0 d-------- C:\Documents and Settings\Townsend\Application Data\AVG7


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{035B91BC-41D5-49BE-8B71-9E90F8F818AD}]
C:\WINDOWS\system32\gebyy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232D2677-68EE-4FA1-B988-279EBC8969ED}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}]
C:\WINDOWS\system32\fccyxyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB920D0-6EEA-482B-818F-29D4C95A78D8}]
04/02/2008 01:00 AM 268288 --a------ C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f696ff9-a1f9-41f0-9a51-839ea1ccc0b7}]
C:\WINDOWS\system32\nyxmeowm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c542914-2a6e-4bd3-a000-1040e68f2026}]
C:\WINDOWS\system32\ccpjnyu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 01:36 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 01:31 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 02:04 AM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 11:05 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 03:56 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/21/2007 10:23 AM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [09/06/2007 03:53 PM]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [11/10/2006 01:17 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]

C:\Documents and Settings\Townsend\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 2:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 2:36:04 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [5/11/2004 2:37:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\WINDOWS\system32\fccyxyv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyxyv]
fccyxyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuuvt]
wvuuuvt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r




-- End of Deckard's System Scanner: finished at 2008-04-10 15:06:10 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 11 April 2008 - 11:31 PM

Hello weargle,

Welcome to Bleeping Computer :thumbsup:

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :blink: After ComboFix has completed you can reenable them all, then come back online to post the reports. Thanks!

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 weargle

weargle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 15 April 2008 - 09:18 AM

Thanks for the response, I will give that a shot and post the new Hijack This! log!

Wes

#4 weargle

weargle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 17 April 2008 - 02:38 PM

ComboFix 08-04-16.5 - Townsend 2008-04-17 14:56:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2936 [GMT -4:00]
Running from: C:\Documents and Settings\Townsend\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\SYSTEM32\pqtss.bak1
C:\WINDOWS\SYSTEM32\pqtss.bak2
C:\WINDOWS\SYSTEM32\pqtss.ini
C:\WINDOWS\SYSTEM32\qtstv.bak1
C:\WINDOWS\SYSTEM32\qtstv.ini
C:\WINDOWS\SYSTEM32\srutv.bak1
C:\WINDOWS\SYSTEM32\srutv.ini
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\tmgpcvui.dll
C:\WINDOWS\system32\ttmpulgx.dll
C:\WINDOWS\system32\vnokhfgc.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\wabnckse.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\SYSTEM32\yybeg.ini
C:\WINDOWS\SYSTEM32\yybeg.ini2
C:\WINDOWS\system32\zxdnt3d.cfg
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Service_core


((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 14:23 . 2008-04-17 14:23 <DIR> d-------- C:\Program Files\CCleaner
2008-04-10 15:03 . 2008-04-10 15:03 <DIR> d-------- C:\Deckard
2008-04-07 10:06 . 2008-04-07 10:06 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-26 10:42 . 2008-04-10 15:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-26 10:42 . 2008-03-26 10:42 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-10 18:55 --------- d-----w C:\Program Files\Trend Micro
2008-04-07 14:06 --------- d-----w C:\Program Files\Common Files\Real
2008-04-04 16:43 --------- d-----w C:\Documents and Settings\Townsend\Application Data\AdobeUM
2008-03-08 14:21 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-02-20 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-20 14:29 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 14:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-29 06:31 409,519 --sha-w C:\WINDOWS\SYSTEM32\egjlm.bak1
2007-10-28 18:31 6,551 --sha-w C:\WINDOWS\SYSTEM32\egjlm.bak2
2007-10-31 14:11 6,505 --sha-w C:\WINDOWS\SYSTEM32\ghhkj.bak1
2007-10-29 20:35 6,465 --sha-w C:\WINDOWS\SYSTEM32\hhhkj.bak1
2007-10-26 15:03 6,465 --sha-w C:\WINDOWS\SYSTEM32\hjjlm.bak1
2007-10-30 15:20 6,465 --sha-w C:\WINDOWS\SYSTEM32\hjkmp.bak1
2007-10-29 13:51 6,465 --sha-w C:\WINDOWS\SYSTEM32\ijkmp.bak1
2007-10-31 15:17 6,465 --sha-w C:\WINDOWS\SYSTEM32\kjjlm.bak1
2007-10-30 17:43 6,465 --sha-w C:\WINDOWS\SYSTEM32\kjkmp.bak1
2007-10-24 16:00 6,465 --sha-w C:\WINDOWS\SYSTEM32\qtutv.bak1
2007-10-24 14:34 416,821 --sha-w C:\WINDOWS\SYSTEM32\rqtwa.bak1
2007-10-23 14:34 381,227 --sha-w C:\WINDOWS\SYSTEM32\rqtwa.bak2
2007-10-30 10:19 410,103 --sha-w C:\WINDOWS\SYSTEM32\sttss.bak1
2007-10-29 19:12 6,465 --sha-w C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-10-31 20:41 6,465 --sha-w C:\WINDOWS\SYSTEM32\ttvwa.bak1
2007-10-30 16:03 6,465 --sha-w C:\WINDOWS\SYSTEM32\tvvwa.bak1
2007-10-25 13:56 6,465 --sha-w C:\WINDOWS\SYSTEM32\vybeg.bak1
2007-10-31 12:01 6,551 --sha-w C:\WINDOWS\SYSTEM32\vybeg.bak2
2007-11-01 14:51 6,465 --sha-w C:\WINDOWS\SYSTEM32\vycdd.bak1
2007-10-31 13:11 6,465 --sha-w C:\WINDOWS\SYSTEM32\wybeg.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 13:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 13:31 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 23:05 323584]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 03:56 143360]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 09:21 579584]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 15:53 169264]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-11-10 01:17 381005]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-11 02:39 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-13 10:52 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-11 02:37:30 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyxyv]
fccyxyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuuvt]
wvuuuvt.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--a------ 2006-11-10 01:17 381005 C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-05-11 02:39 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-07 10:05 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 05:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Canon NetSpot Suite Service;Canon NetSpot Suite Service;C:\Program Files\Canon\VDC\AuVdc.exe [2003-04-17 06:18]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 13:24]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 sshd;CYGWIN sshd;C:\cygwin\bin\cygrunsrv.exe [2006-06-19 05:43]
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 03:56]

.
Contents of the 'Scheduled Tasks' folder
"2004-05-16 06:45:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2008-04-17 19:03:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 15:01:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\dzvjrmuh.TMP

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTUpd.exe
.
**************************************************************************
.
Completion time: 2008-04-17 15:09:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-17 19:09:12

Pre-Run: 55,870,279,680 bytes free
Post-Run: 55,812,726,784 bytes free
.
2008-04-10 13:34:08 --- E O F ---

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:56 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\cygwin\bin\cygrunsrv.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - http://trudy/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093306315152
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185897766484
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chimerix-inc.com
O17 - HKLM\Software\..\Telephony: DomainName = chimerix-inc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chimerix-inc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chimerix-inc.com
O20 - Winlogon Notify: fccyxyv - fccyxyv.dll (file missing)
O20 - Winlogon Notify: wvuuuvt - wvuuuvt.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7695 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 17 April 2008 - 03:45 PM

Hello,

You should know that you're actually doing more harm than good by running 2 Anti Virus programs. (TrendMicro and AVG) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other one, and use it as an on demand only scan occasionally.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O20 - Winlogon Notify: fccyxyv - fccyxyv.dll (file missing)
O20 - Winlogon Notify: wvuuuvt - wvuuuvt.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\TEMP\dzvjrmuh.TMP
C:\WINDOWS\SYSTEM32\egjlm.bak1
C:\WINDOWS\SYSTEM32\egjlm.bak2
C:\WINDOWS\SYSTEM32\ghhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hjjlm.bak1
C:\WINDOWS\SYSTEM32\hjkmp.bak1
C:\WINDOWS\SYSTEM32\ijkmp.bak1
C:\WINDOWS\SYSTEM32\kjjlm.bak1
C:\WINDOWS\SYSTEM32\kjkmp.bak1
C:\WINDOWS\SYSTEM32\qtutv.bak1
C:\WINDOWS\SYSTEM32\rqtwa.bak1
C:\WINDOWS\SYSTEM32\rqtwa.bak2
C:\WINDOWS\SYSTEM32\sttss.bak1
C:\WINDOWS\SYSTEM32\ttstv.bak1
C:\WINDOWS\SYSTEM32\ttvwa.bak1
C:\WINDOWS\SYSTEM32\tvvwa.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\SYSTEM32\vycdd.bak1
C:\WINDOWS\SYSTEM32\wybeg.bak1

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuuvt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyxyv]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running please? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 weargle

weargle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 22 April 2008 - 12:27 PM

Hello,

You should know that you're actually doing more harm than good by running 2 Anti Virus programs. (TrendMicro and AVG) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other one, and use it as an on demand only scan occasionally.

Thanks,
tea

I understand that; the previous computer owner installed Trend and I do not have the uninstall password. I have disabled it from running during startup in MSCONFIG and have disabled the services as well. Thanks for the additional information, when I get back onsite I will provide an update.

Wes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 03 May 2008 - 11:10 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users