Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Internet Explorer Popups


  • This topic is locked This topic is locked
20 replies to this topic

#1 shandog24

shandog24

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 19 April 2008 - 06:33 AM

Hey everyone, thanks for your help in advance.
I'm currently borrowing my girlfriends laptop and she uses it for work and I can say that the security on this is not very good but without administrator access there's not much she can do. I spent the day just browsing the internet without downloading any files. Simply browsing. After sometime suddenly these popups were showing out of nowhere using IE. I was only browsing with firefox so its definitely unusual that IE is popping up.

So here's my logs - I really hope you can help:

Deckard's System Scanner v20071014.68
Run by jmaho on 2008-04-19 21:23:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2008-04-19 11:23:29 UTC - RP87 - Deckard's System Scanner Restore Point
28: 2008-04-19 07:19:41 UTC - RP86 - Last known good configuration
27: 2008-04-19 07:19:37 UTC - RP85 - System Checkpoint
26: 2008-04-19 07:19:37 UTC - RP84 - System Checkpoint
25: 2008-04-19 07:19:36 UTC - RP83 - System Checkpoint


-- First Restore Point --
1: 2008-04-19 07:19:28 UTC - RP59 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jmaho.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:50 PM, on 19/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MaxExchange\Spdm.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe
C:\Program Files\Maximizer\MaxExchange\MaxExComHTTP.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Application\ModemManager.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\IOMgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Application\QMICM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\jmaho\Desktop\dss.exe
C:\DOCUME~1\jmaho\Desktop\jmaho.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.nt.gov.au/ntgproxy.pac
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\sysmgt\SxpInst\sxplog32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Editor plugin - {609133AE-C65D-43cf-8F8E-4DE2684F427F} - fowlr.dll (file missing)
O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - C:\WINDOWS\System32\myss_sb.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C02D5D12-D47C-496E-B55F-FDC1BEDA3EEA} - C:\WINDOWS\System32\tuvtsssp.dll
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\System32\cbxywvwt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [RRSLocal] c:\SYSMGT\localise\localise.exe /s
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [UAM] C:\SYSMGT\TNGAM\Agents\UMCLIWNT.EXE US /EXTDEBUG /SILENT
O4 - HKLM\..\Run: [MiniMax] C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxExchange Remote.lnk = C:\Program Files\Maximizer\MaxExchange\Spdm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\bin\w3dbsmgr.exe
O4 - Global Startup: Telstra Turbo Modem Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206156670265
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\Software\..\Telephony: DomainName = prod.main.ntgov
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A583F3C-1211-43E5-9FCF-F154FDBEAB47}: NameServer = 155.205.50.3,155.205.7.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O20 - Winlogon Notify: cbxywvwt - C:\WINDOWS\SYSTEM32\cbxywvwt.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: CA-License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmtd.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: RCManClient - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCManClient.exe
O23 - Service: Unicenter TNG RCO (RCOService) - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCOService.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE

--
End of file - 8214 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 INO_FLPY - c:\windows\system32\drivers\ino_flpy.sys <Not Verified; Computer Associates; CA eTrust eTrust Antivirus/InoculateIT version 7.X/6.X/4.X>
R1 Rp32Spin - c:\windows\system32\drivers\rp32spin.sys <Not Verified; Microsoft Corporation; Unicenter TNG Remote Control Option>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 INO_FLTR - c:\windows\system32\drivers\ino_fltr.sys <Not Verified; Computer Associates; CA eTrust Antivirus/InoculateIT version 7.X/6.X>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 Rp32Wire - c:\windows\system32\drivers\rp32wire.sys <Not Verified; Microsoft Corporation; Unicenter TNG Remote Control Option>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 InoRPC (eTrust Antivirus RPC Server) - "c:\program files\ca\etrust antivirus\inorpc.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoRT (eTrust Antivirus Realtime Server) - "c:\program files\ca\etrust antivirus\inort.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoTask (eTrust Antivirus Job Server) - "c:\program files\ca\etrust antivirus\inotask.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 Lotus Notes Single Logon - c:\windows\system32\nslsvice.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 Multi-user Cleanup Service - c:\lotus\notes\ntmulti.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>

S2 AmoAgent (Asset Management Agent) - c:\windows\umcstub.exe <Not Verified; Computer Associates International, Inc.; Asset Management>
S2 LogWatch (Event Log Watch) - c:\ca_lic\logwatnt.exe <Not Verified; Computer Associates; Computer Associates LogWatNT>
S2 RCManClient - c:\sysmgt\tngrco\rcmanclient.exe <Not Verified; Computer Associates International, Inc.; Unicenter TNG Remote Control Option>
S2 RCOService (Unicenter TNG RCO) - c:\sysmgt\tngrco\rcoservice.exe <Not Verified; Computer Associates International, Inc.; Unicenter TNG Remote Control Option>
S2 SDService (Unicenter Software Delivery) - c:\sysmgt\tngsd\bin\sdserv.exe <Not Verified; Computer Accociates, Intl Inc.; SD>
S3 CA_LIC_CLNT (CA-License Client) - "c:\ca_lic\\lic98rmt.exe" <Not Verified; Computer Associates International Inc.; Lic98>
S3 CA_LIC_SRVR (CA-License Server) - "c:\ca_lic\\lic98rmtd.exe" <Not Verified; Computer Associates International Inc.; Lic98>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-02 15:45:17 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-19 and 2008-04-19 -----------------------------

2008-04-19 17:20:28 87616 --a------ C:\WINDOWS\System32\aaa
2008-04-19 17:20:18 96320 --a------ C:\WINDOWS\System32\bbb
2008-04-19 17:19:18 224376 --ahs---- C:\WINDOWS\System32\pssstvut.ini2
2008-04-19 17:19:10 274432 --a------ C:\WINDOWS\System32\tuvtsssp.dll
2008-04-19 17:18:53 34099 --a------ C:\WINDOWS\System32\iii.dll
2008-04-19 17:14:43 89070 --a------ C:\WINDOWS\System32\fff.exe
2008-04-19 17:14:28 862 --a------ C:\WINDOWS\System32\winpfz33.sys
2008-04-19 17:14:20 88961 --a------ C:\WINDOWS\System32\eee.exe
2008-04-19 17:14:15 298312 --a------ C:\WINDOWS\System32\ddd.exe
2008-04-19 17:14:10 0 d-------- C:\WINDOWS\System32\wTmp
2008-04-19 17:14:10 0 d-------- C:\WINDOWS\System32\IBn
2008-04-19 17:14:04 0 d-------- C:\WINDOWS\System32\xcsDd01
2008-04-19 17:14:03 34099 --a------ C:\WINDOWS\System32\cbxywvwt.dll
2008-04-19 17:14:03 0 d-------- C:\Temp
2008-04-12 01:46:26 334848 --a------ C:\WINDOWS\System32\myss_sb.dll
2008-04-11 16:02:59 1156 --a------ C:\WINDOWS\mozver.dat
2008-04-11 16:00:05 0 d-------- C:\Documents and Settings\jmaho\Application Data\Mozilla
2008-04-07 18:23:51 0 d-------- C:\FireFox Portable
2008-03-31 17:16:22 0 d-------- C:\Documents and Settings\jmaho\.jpi_cache
2008-03-31 17:16:22 0 d-------- C:\Documents and Settings\jmaho\.java
2008-03-31 17:16:08 0 d-------- C:\Documents and Settings\jmaho\.javaws
2008-03-31 17:16:04 0 d-------- C:\Program Files\Java Web Start
2008-03-31 17:15:55 0 d-------- C:\Program Files\Java
2008-03-24 11:57:47 0 d-------- C:\Program Files\MSECache
2008-03-22 13:31:23 0 d-------- C:\WINDOWS\SoftwareDistribution


-- Find3M Report ---------------------------------------------------------------

2008-04-11 16:03:04 0 d-------- C:\Documents and Settings\jmaho\Application Data\Adobe
2008-04-07 00:00:41 0 d-------- C:\Documents and Settings\jmaho\Application Data\Maximizer
2008-03-31 17:15:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-06 14:59:25 0 d-------- C:\Documents and Settings\jmaho\Application Data\Apple Computer
2008-02-19 16:51:56 0 d-------- C:\Program Files\Sony
2008-02-19 15:48:32 0 d-------- C:\Program Files\Common Files
2008-02-19 15:48:32 0 d-------- C:\Program Files\Common Files\Sony Shared


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{609133AE-C65D-43cf-8F8E-4DE2684F427F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}]
12/04/2008 01:46 AM 334848 --a------ C:\WINDOWS\System32\myss_sb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C02D5D12-D47C-496E-B55F-FDC1BEDA3EEA}]
19/04/2008 05:19 PM 274432 --a------ C:\WINDOWS\System32\tuvtsssp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
19/04/2008 05:14 PM 34099 --a------ C:\WINDOWS\System32\cbxywvwt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SchedulingAgent"="mstinit.exe" [09/06/2004 05:59 AM C:\WINDOWS\system32\mstinit.exe]
"SDJobCheck"="triggusr.exe" [30/09/2002 11:20 AM C:\sysmgt\TNGSD\BIN\triggusr.exe]
"RRSLocal"="c:\SYSMGT\localise\localise.exe" [24/10/2005 10:00 AM]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [06/04/2004 05:44 PM]
"@"="" []
"TRIMAutoDeploy"="C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" [18/03/2005 07:31 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [21/05/2005 01:41 AM]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [29/11/2005 07:25 AM]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [29/11/2005 07:22 AM]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [29/11/2005 07:25 AM]
"UAM"="C:\SYSMGT\TNGAM\Agents\UMCLIWNT.exe" [01/08/2003 04:21 PM]
"MiniMax"="C:\Program Files\MiniMax\Bin\CMTNF5500U.exe" [09/06/2005 03:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [11/12/2007 09:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [30/08/2002 03:11 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 1:19:50 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader\reader_sl.exe [23/09/2005 10:35:26 PM]
MaxAlarm.lnk - C:\Program Files\Maximizer\MxAlarm.exe [24/07/2006 4:30:00 PM]
MaxExchange Remote.lnk - C:\Program Files\Maximizer\MaxExchange\Spdm.exe [24/07/2006 4:30:00 PM]
MaxFinder.lnk - C:\Program Files\Maximizer\MxFinder.exe [24/07/2006 4:30:00 PM]
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\bin\w3dbsmgr.exe [09/06/2005 10:16:34 PM]
Telstra Turbo Modem Manager.lnk - C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe [01/09/2007 4:56:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"SetVisualStyle"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=0 (0x0)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoAutoUpdate"=1 (0x1)
"NoChangeAnimation"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\System32\cbxywvwt.dll [19/04/2008 05:14 PM 34099]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,,C:\sysmgt\SxpInst\sxplog32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxywvwt]
cbxywvwt.dll 19/04/2008 05:14 PM 34099 C:\WINDOWS\system32\cbxywvwt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\tuvtsssp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\0]
"Script"=\\prod.main.ntgov\netlogon\CompDesc.1.00.000.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\1]
"Script"=\\prod.main.ntgov\Netlogon\NTTC\asp.psb.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\2]
"Script"=\\prod.main.ntgov\netlogon\Global_Scripts.vbs




-- End of Deckard's System Scanner: finished at 2008-04-19 21:25:56 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™ Duo CPU T2300 @ 1.66GHz
CPU 1: Intel® Core(TaM) Duo CPU T2300 @ 1.66GHz
Percentage of Memory in Use: 37%
Physical Memory (total/avail): 1014.36 MiB / 635.28 MiB
Pagefile Memory (total/avail): 1677.39 MiB / 1394.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.6 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 46.16 GiB free.
D: is CDROM (No Media)
L: is Network (Unformatted)
M: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - HITACHI HTS541660J9SA00 - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is not configured.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jmaho\Application Data
ASMROOT=C:\SYSMGT\TNGSD\SD
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CLASSPATH=.;C:\PVSW\bin\pvjdbc2x.jar;C:\PVSW\bin\pvjdbc2.jar;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BAA13139
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMESHARE=\\remsyddcf01\nttc_users
INOCULAN=C:\PROGRA~1\CA\ETRUST~1
LOGONSERVER=\\REMSYDDCF01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\PVSW\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\SYSMGT\CA_APPSW;C:\SYSMGT\TNGSD\BIN;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\PROGRA~1\CA\ETRUST~1;C:\Program Files\Common Files\Maximizer;F:\Notes;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 12, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e0c
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jmaho\LOCALS~1\Temp
TMP=C:\DOCUME~1\jmaho\LOCALS~1\Temp
USERDNSDOMAIN=PROD.MAIN.NTGOV
USERDOMAIN=PROD
USERNAME=jmaho
USERPROFILE=C:\Documents and Settings\jmaho
VSL=C:\PVSW\bin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
crudd (admin)
jmulc (admin)
jmaho (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AAPA --> C:\UNWISE.EXE C:\INSTALL.LOG
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
CA eTrust Antivirus --> MsiExec.exe /X{99747F0D-D4F8-4877-9CA0-4AE96D963633}
Caplio Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A069AA-4771-48A5-AEA4-60D6DF3CC85D}\setup.exe" -l0x9 anything
Central Agencies --> C:\UNWISE.EXE C:\INSTALL.LOG
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Deewoo Network Manager removal --> C:\WINDOWS\System32\kcntskdn.exe -UPop
DLGHS and NTTC Installation --> C:\UNWISE.EXE C:\INSTALL.LOG
ebook APT NTSB 0708 --> C:\Documents and Settings\jmaho\My Documents\My EBKs\resources\Ebook.exe "C:\Documents and Settings\jmaho\My Documents\My EBKs\APT NTSB 0708\apt_ntsb_0708.ebk" /uq
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXP$\spuninst\spuninst.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Documents and Settings\jmaho\Desktop\HijackThis.exe" /uninstall
ImageMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B07D847-8077-4242-91C7-DFA3CE5113E0}\setup.exe" -l0x9 UNINSTALL
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
Java 2 Runtime Environment, SE v1.4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD0159C9-17FB-11D6-A76A-00B0D079AF64}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Lotus Notes 6.5.1 --> MsiExec.exe /I{5B5B3D92-A765-4AD5-9752-30BA2C71C314}
Maximizer Enterprise 9, Version 9.5 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{A06562EB-6657-4FE3-8A66-21442C9B6092}
Maxon MiniMax Modem --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D384EA61-887C-45A8-997B-9E9586437092}\Setup.exe" -l0x9
MetaFrame Presentation Server Client --> MsiExec.exe /I{E92B7A19-5FD5-4AEE-9FEF-7AD5DD3A675E}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Organization Chart 2.0 --> MsiExec.exe /I{90AE0409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Native Client --> MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft XML Parser and SDK --> MsiExec.exe /I{35343FF7-939B-401A-87B3-FF90A5123D88}
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
Mocha W32 TN3270 --> MsiExec.exe /I{E6693A8E-8249-4E60-8693-FF7E0367C4AE}
MySidesearch Search Assistant Adzgalore --> C:\WINDOWS\System32\myss_sb_uninstall.exe
Pervasive System Analyzer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Common Files\Pervasive Software Shared\PSA\psa.isu"
Pervasive.SQL 9 SP1 Workgroup for Windows (9.1) --> MsiExec.exe /I{B445B16A-1FB3-4D21-A10E-0B68B4C4654B}
PrintKey2000 --> C:\PROGRA~1\PRINTK~1\UNWISE.EXE C:\PROGRA~1\PRINTK~1\INSTALL.LOG
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Remote Control Option --> C:\sysmgt\tngrco\setup.exe /U
Remove Hidden Data Tool --> MsiExec.exe /X{90F80409-6000-11D3-8CFE-0150048383C9}
Telstra Turbo Modem Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB63209F-4DDB-4AAA-8EDD-078DB9DED857}\setup.exe" -l0x9 -removeonly
ThinkPad Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\HXFSETUP.EXE -U -ITkp0588p.inf
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
TRIM Context --> MsiExec.exe /I{088D99A7-BBE0-4EF0-A1D4-30B3BB969403}


-- Application Event Log -------------------------------------------------------

Event Record #/Type7844 / Error
Event Submitted/Written: 04/19/2008 08:37:43 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type7843 / Warning
Event Submitted/Written: 04/19/2008 08:37:17 PM
Event ID/Source: 1000 / NTG Localise
Event Description:
Localise attempted to stop the LanManServer service... Service Status: Stopped

Event Record #/Type7842 / Warning
Event Submitted/Written: 04/19/2008 08:37:14 PM
Event ID/Source: 1000 / NTG Localise
Event Description:
Localise attempted to stop the Messenger service... Service Status: Stopped

Event Record #/Type7841 / Warning
Event Submitted/Written: 04/19/2008 08:37:12 PM
Event ID/Source: 1000 / NTG Localise
Event Description:
Localise attempted to stop the LogWatch service... Service Status: Stopped

Event Record #/Type7840 / Warning
Event Submitted/Written: 04/19/2008 08:37:10 PM
Event ID/Source: 1000 / NTG Localise
Event Description:
Localise attempted to stop the SDService service... Service Status: Stopped



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type36792 / Warning
Event Submitted/Written: 04/19/2008 08:59:23 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {245FC88B-5685-4EF9-AF2A-002A355A63BA}

Host Name : BAA13139

Primary Domain Suffix : prod.main.ntgov

DNS server list :

203.50.2.71, 139.130.4.4

Sent update to server : <?>

IP Address(es) :

10.163.126.234


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (:thumbsup: because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type36791 / Error
Event Submitted/Written: 04/19/2008 08:43:19 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.239.115.41 for the Network Card with network address 00A0C6000000 has been
denied by the DHCP server 10.163.126.233 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type36763 / Error
Event Submitted/Written: 04/19/2008 08:38:13 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Computer Browser service terminated with service-specific error 2550 (0x9F6).

Event Record #/Type36762 / Error
Event Submitted/Written: 04/19/2008 08:37:07 PM
Event ID/Source: 10009 / DCOM
Event Description:
DCOM was unable to communicate with the computer NTDSRP06.NT.GOV.AU using any of the configured
protocols.

Event Record #/Type36761 / Error
Event Submitted/Written: 04/19/2008 08:37:07 PM
Event ID/Source: 10009 / DCOM
Event Description:
DCOM was unable to communicate with the computer NTDSRP06.NT.GOV.AU using any of the configured
protocols.



-- End of Deckard's System Scanner: finished at 2008-04-19 21:25:56 ------------

BC AdBot (Login to Remove)

 


m

#2 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 19 April 2008 - 10:12 AM

Hi and welcome to the forums. :thumbsup:
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. I belong to HJT Senior Classmen and everything that I post to you must be checked by
teachers of Bleeping Computer.
Please be patient. :blink:

#3 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 19 April 2008 - 06:12 PM

Hi Markka,

Hello and thank you for your help. It's greatly appreciated.
Happy to be patient knowing that I'm getting assistance on this.

#4 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 20 April 2008 - 04:03 AM

Hello :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!
_____________
  • Click here to download HijackThis and save it to your desktop.
  • Double-click on HJTInstall.exe to run it.
  • HJTInstall.exe will install HijackThis to here C:\Program Files\Trend Micro\HijackThis
  • Click install
  • HJTInstall.exe will create an icon to your desktop.
  • When the installation is ready, it will start HijackThis.
  • When HijackThis is opened, click Do a system scan and save a logfile.
  • Post the HijackThis log here.
  • Do not fix anything with HijackThis, until I tell to you!
______________

Post:

- The fresh HijackThis log
- Contents of C:\ComboFix.txt

#5 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 20 April 2008 - 05:19 AM

Markka,

I've done what you asked. Here is the combofix log followed by the hijackthis log.

Cheers,
shandog

ComboFix 08-04-18.3 - jmaho 2008-04-20 20:05:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.486 [GMT 10:00]
Running from: C:\Documents and Settings\jmaho\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\cookie.dat
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\system32\pssstvut.ini
C:\WINDOWS\system32\pssstvut.ini2
C:\WINDOWS\system32\tuvtsssp.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 20:17 . 2008-04-20 20:17 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\wsnpoem
2008-04-20 12:51 . 2008-04-20 12:52 45,056 --a------ C:\MEUK.exe
2008-04-19 21:23 . 2008-04-19 21:23 <DIR> d-------- C:\Deckard
2008-04-19 17:20 . 2008-04-19 17:37 1,540,626 ---hs---- C:\WINDOWS\system32\jucmgoju.ini
2008-04-19 17:20 . 2008-04-19 17:29 109,774 --a------ C:\WINDOWS\BM43c701d6.xml
2008-04-19 17:20 . 2008-04-19 17:20 96,320 --a------ C:\WINDOWS\system32\bbb
2008-04-19 17:20 . 2008-04-19 17:20 87,616 --a------ C:\WINDOWS\system32\aaa
2008-04-19 17:18 . 2008-04-19 17:18 34,099 --a------ C:\WINDOWS\system32\iii.dll
2008-04-19 17:14 . 2008-04-19 17:14 <DIR> d-------- C:\Temp\berDrv11
2008-04-18 15:56 . 2008-04-18 15:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 15:56 . 2008-04-18 15:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-12 01:46 . 2008-04-12 01:46 334,848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-04-11 16:02 . 2008-04-11 16:03 1,156 --a------ C:\WINDOWS\mozver.dat
2008-04-07 18:23 . 2008-04-07 18:24 <DIR> d-------- C:\FireFox Portable
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Program Files\Java Web Start
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Documents and Settings\jmaho\.jpi_cache
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Documents and Settings\jmaho\.javaws
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Documents and Settings\jmaho\.java
2008-03-31 17:16 . 2002-08-29 09:10 229,479 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-03-31 17:15 . 2008-03-31 17:15 <DIR> d-------- C:\Program Files\Java
2008-03-24 11:57 . 2008-03-24 11:57 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 07:14 89,070 ----a-w C:\WINDOWS\system32\fff.exe
2008-04-19 07:14 88,961 ----a-w C:\WINDOWS\system32\eee.exe
2008-04-19 07:14 34,099 ----a-w C:\WINDOWS\system32\cbxywvwt.dll
2008-04-19 07:14 298,312 ----a-w C:\WINDOWS\system32\ddd.exe
2008-04-06 14:00 --------- d-----w C:\Documents and Settings\jmaho\Application Data\Maximizer
2008-03-31 07:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-06 04:59 --------- d-----w C:\Documents and Settings\jmaho\Application Data\Apple Computer
2007-08-22 00:47 190 ----a-w C:\Program Files\Common Files\psasetup.log
2007-08-16 23:20 6,148 ---ha-w C:\Program Files\.DS_Store
2005-10-14 01:47 151,552 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{609133AE-C65D-43cf-8F8E-4DE2684F427F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}]
2008-04-12 01:46 334848 --a------ C:\WINDOWS\System32\myss_sb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
2008-04-19 17:14 34099 --a------ C:\WINDOWS\system32\cbxywvwt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 03:11 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SchedulingAgent"="mstinit.exe" [2004-06-09 05:59 10752 C:\WINDOWS\system32\mstinit.exe]
"SDJobCheck"="triggusr.exe" [2002-09-30 11:20 20480 C:\sysmgt\TNGSD\BIN\triggusr.exe]
"RRSLocal"="c:\SYSMGT\localise\localise.exe" [2005-10-24 10:00 339151]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:44 504080]
"TRIMAutoDeploy"="C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" [2005-03-18 07:31 129537]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-21 01:41 925696]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-11-29 07:25 98304]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-11-29 07:22 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-11-29 07:25 118784]
"UAM"="C:\SYSMGT\TNGAM\Agents\UMCLIWNT.exe" [2003-08-01 16:21 663552]
"MiniMax"="C:\Program Files\MiniMax\Bin\CMTNF5500U.exe" [2005-06-09 15:32 229376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 09:56 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-30 03:11 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader\reader_sl.exe [2005-09-23 22:35:26 29696]
MaxAlarm.lnk - C:\Program Files\Maximizer\MxAlarm.exe [2006-07-24 16:30:00 147456]
MaxExchange Remote.lnk - C:\Program Files\Maximizer\MaxExchange\Spdm.exe [2006-07-24 16:30:00 1757184]
MaxFinder.lnk - C:\Program Files\Maximizer\MxFinder.exe [2006-07-24 16:30:00 278528]
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\bin\w3dbsmgr.exe [2005-06-09 22:16:34 106546]
Telstra Turbo Modem Manager.lnk - C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe [2007-09-01 16:56:06 454656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoChangeAnimation"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\cbxywvwt.dll [2008-04-19 17:14 34099]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxywvwt]
cbxywvwt.dll 2008-04-19 17:14 34099 C:\WINDOWS\system32\cbxywvwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\0]
"Script"=\\prod.main.ntgov\netlogon\CompDesc.1.00.000.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\1]
"Script"=\\prod.main.ntgov\Netlogon\NTTC\asp.psb.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\2]
"Script"=\\prod.main.ntgov\netlogon\Global_Scripts.vbs

R1 Rp32Spin;Rp32Spin;C:\WINDOWS\System32\drivers\Rp32Spin.sys [2003-03-21 21:26]
R2 Rp32Wire;Rp32Wire;C:\WINDOWS\System32\drivers\Rp32Wire.sys [2003-03-21 21:26]
R3 cmusbnet;WAN Driver @ 3GPP (6280);C:\WINDOWS\System32\DRIVERS\cmusbnet.sys [2006-11-23 15:03]
R3 cmusbser;%CMUSBSER%;C:\WINDOWS\System32\DRIVERS\cmusbser.sys [2006-12-13 17:31]
S2 LogWatch;Event Log Watch;C:\CA_LIC\LogWatNT.exe [2005-02-23 16:26]
S2 RCManClient;RCManClient;C:\sysmgt\tngrco\RCManClient.exe [2003-03-21 20:51]
S2 RCOService;Unicenter TNG RCO;C:\sysmgt\tngrco\RCOService.exe [2003-03-21 21:23]
S3 CA_LIC_CLNT;CA-License Client;"C:\CA_LIC\\lic98rmt.exe" [2005-03-23 14:47]
S3 CA_LIC_SRVR;CA-License Server;"C:\CA_LIC\\lic98rmtd.exe" [2005-03-23 14:46]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 05:45:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 20:18:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\ntos.exe 471040 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbxywvwt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Maximizer\MaxExchange\MaxExComHTTP.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-04-20 20:22:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 10:22:02

Pre-Run: 49,461,979,136 bytes free
Post-Run: 49,809,318,912 bytes free

169



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22, on 2008-04-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MaxExchange\Spdm.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe
C:\Program Files\Maximizer\MaxExchange\MaxExComHTTP.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\jmaho\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.nt.gov.au/ntgproxy.pac
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Editor plugin - {609133AE-C65D-43cf-8F8E-4DE2684F427F} - fowlr.dll (file missing)
O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - C:\WINDOWS\System32\myss_sb.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\cbxywvwt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [RRSLocal] c:\SYSMGT\localise\localise.exe /s
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [UAM] C:\SYSMGT\TNGAM\Agents\UMCLIWNT.EXE US /EXTDEBUG /SILENT
O4 - HKLM\..\Run: [MiniMax] C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxExchange Remote.lnk = C:\Program Files\Maximizer\MaxExchange\Spdm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\bin\w3dbsmgr.exe
O4 - Global Startup: Telstra Turbo Modem Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206156670265
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\Software\..\Telephony: DomainName = prod.main.ntgov
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A583F3C-1211-43E5-9FCF-F154FDBEAB47}: NameServer = 155.205.50.3,155.205.7.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O20 - Winlogon Notify: cbxywvwt - C:\WINDOWS\SYSTEM32\cbxywvwt.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: CA-License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmtd.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: RCManClient - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCManClient.exe
O23 - Service: Unicenter TNG RCO (RCOService) - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCOService.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE

--
End of file - 8181 bytes

#6 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 20 April 2008 - 07:24 AM

Hello :thumbsup:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you want to clean your computer without reinstalling OS, follow these instructions:
______________

Right-click on the desktop and choose 'Make a new folder' and give it a name 'HJT'. Then drag HijackThis.exe into the HJT folder.
______

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - C:\WINDOWS\System32\myss_sb.dll
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\cbxywvwt.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: cbxywvwt - C:\WINDOWS\SYSTEM32\cbxywvwt.dll

______

Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
C:\WINDOWS\System32\ntos.exe

File::
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\myss_sb.dll
C:\WINDOWS\system32\cbxywvwt.dll
C:\WINDOWS\system32\jucmgoju.ini
C:\WINDOWS\BM43c701d6.xml
C:\MEUK.exe
C:\WINDOWS\system32\iii.dll
C:\WINDOWS\system32\fff.exe
C:\WINDOWS\system32\eee.exe
C:\WINDOWS\system32\ddd.exe

Folder::
C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\aaa
C:\WINDOWS\system32\bbb
C:\Temp


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Post:
- A fresh HijackThis log
- Logfile of ComboFix

#7 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 20 April 2008 - 08:00 AM

Hello,

I've done what you have asked and have posted both logs after this message. One thing to note is that these items:

O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - :\WINDOWS\System32\myss_sb.dll
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\cbxywvwt.dll
O20 - Winlogon Notify: cbxywvwt - C:\WINDOWS\SYSTEM32\cbxywvwt.dll

were not present when checking items to fix in HijackThis.

Here are my logs:

ComboFix 08-04-18.3 - jmaho 2008-04-20 22:43:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.613 [GMT 10:00]
Running from: C:\Documents and Settings\jmaho\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jmaho\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\MEUK.exe
C:\WINDOWS\BM43c701d6.xml
C:\WINDOWS\system32\cbxywvwt.dll
C:\WINDOWS\system32\ddd.exe
C:\WINDOWS\system32\eee.exe
C:\WINDOWS\system32\fff.exe
C:\WINDOWS\system32\iii.dll
C:\WINDOWS\system32\jucmgoju.ini
C:\WINDOWS\System32\myss_sb.dll
C:\WINDOWS\System32\ntos.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\MEUK.exe
C:\Temp
C:\Temp\berDrv11\fxpNbu.log
C:\WINDOWS\BM43c701d6.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aaa\
C:\WINDOWS\system32\bbb\
C:\WINDOWS\system32\cbxywvwt.dll
C:\WINDOWS\system32\ddd.exe
C:\WINDOWS\system32\eee.exe
C:\WINDOWS\system32\fefedfhk.ini
C:\WINDOWS\system32\fefedfhk.ini2
C:\WINDOWS\system32\fff.exe
C:\WINDOWS\system32\gcqjrbfm1.dll
C:\WINDOWS\system32\iii.dll
C:\WINDOWS\system32\jucmgoju.ini
C:\WINDOWS\system32\khfdefef.dll
C:\WINDOWS\System32\myss_sb.dll
C:\WINDOWS\System32\ntos.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 12:52 . 2008-04-20 22:33 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2008-04-19 21:23 . 2008-04-19 21:23 <DIR> d-------- C:\Deckard
2008-04-19 17:20 . 2008-04-19 17:20 96,320 --a------ C:\WINDOWS\system32\bbb
2008-04-19 17:20 . 2008-04-19 17:20 87,616 --a------ C:\WINDOWS\system32\aaa
2008-04-19 17:14 . 2008-04-19 17:14 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-19 17:14 . 2008-04-19 17:14 <DIR> d-------- C:\WINDOWS\system32\wTmp
2008-04-19 17:14 . 2008-04-19 17:14 <DIR> d-------- C:\WINDOWS\system32\IBn
2008-04-19 17:14 . 2008-04-19 17:14 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-19 17:14 . 2008-04-19 17:14 149 --a------ C:\WINDOWS\system32\ggg.dx
2008-04-19 17:14 . 2008-04-19 17:14 21 --a------ C:\WINDOWS\system32\hhh.cfg
2008-04-18 15:56 . 2008-04-18 15:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 15:56 . 2008-04-18 15:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 16:02 . 2008-04-11 16:03 1,156 --a------ C:\WINDOWS\mozver.dat
2008-04-07 18:23 . 2008-04-07 18:24 <DIR> d-------- C:\FireFox Portable
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Program Files\Java Web Start
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Documents and Settings\jmaho\.jpi_cache
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Documents and Settings\jmaho\.javaws
2008-03-31 17:16 . 2008-03-31 17:16 <DIR> d-------- C:\Documents and Settings\jmaho\.java
2008-03-31 17:16 . 2002-08-29 09:10 229,479 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-03-31 17:15 . 2008-03-31 17:15 <DIR> d-------- C:\Program Files\Java
2008-03-24 11:57 . 2008-03-24 11:57 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 14:00 --------- d-----w C:\Documents and Settings\jmaho\Application Data\Maximizer
2008-03-31 07:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-06 04:59 --------- d-----w C:\Documents and Settings\jmaho\Application Data\Apple Computer
2007-08-22 00:47 190 ----a-w C:\Program Files\Common Files\psasetup.log
2007-08-16 23:20 6,148 ---ha-w C:\Program Files\.DS_Store
2005-10-14 01:47 151,552 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-04-20_20.20.49.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 10:16:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 12:58:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-20 10:17:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-20 10:53:57 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-20 10:17:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-20 10:53:57 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-20 10:17:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-20 10:53:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-06 13:57:20 55,802 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-20 10:20:18 55,802 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-06 13:57:20 389,510 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-20 10:20:18 389,510 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-20 12:33:00 7,516 ----a-w C:\WINDOWS\system32\wsnpoem\video.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{609133AE-C65D-43cf-8F8E-4DE2684F427F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 03:11 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SchedulingAgent"="mstinit.exe" [2004-06-09 05:59 10752 C:\WINDOWS\system32\mstinit.exe]
"SDJobCheck"="triggusr.exe" [2002-09-30 11:20 20480 C:\sysmgt\TNGSD\BIN\triggusr.exe]
"RRSLocal"="c:\SYSMGT\localise\localise.exe" [2005-10-24 10:00 339151]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:44 504080]
"TRIMAutoDeploy"="C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" [2005-03-18 07:31 129537]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-21 01:41 925696]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-11-29 07:25 98304]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-11-29 07:22 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-11-29 07:25 118784]
"UAM"="C:\SYSMGT\TNGAM\Agents\UMCLIWNT.exe" [2003-08-01 16:21 663552]
"MiniMax"="C:\Program Files\MiniMax\Bin\CMTNF5500U.exe" [2005-06-09 15:32 229376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 09:56 286720]
"BM43c701d6"="C:\WINDOWS\System32\gcqjrbfm.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-30 03:11 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader\reader_sl.exe [2005-09-23 22:35:26 29696]
MaxAlarm.lnk - C:\Program Files\Maximizer\MxAlarm.exe [2006-07-24 16:30:00 147456]
MaxExchange Remote.lnk - C:\Program Files\Maximizer\MaxExchange\Spdm.exe [2006-07-24 16:30:00 1757184]
MaxFinder.lnk - C:\Program Files\Maximizer\MxFinder.exe [2006-07-24 16:30:00 278528]
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\bin\w3dbsmgr.exe [2005-06-09 22:16:34 106546]
Telstra Turbo Modem Manager.lnk - C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe [2007-09-01 16:56:06 454656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoChangeAnimation"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxywvwt]
cbxywvwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\0]
"Script"=\\prod.main.ntgov\netlogon\CompDesc.1.00.000.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\1]
"Script"=\\prod.main.ntgov\Netlogon\NTTC\asp.psb.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2926237862-3770063950-2320700579-41507\Scripts\Logon\0\2]
"Script"=\\prod.main.ntgov\netlogon\Global_Scripts.vbs

R1 Rp32Spin;Rp32Spin;C:\WINDOWS\System32\drivers\Rp32Spin.sys [2003-03-21 21:26]
R2 Rp32Wire;Rp32Wire;C:\WINDOWS\System32\drivers\Rp32Wire.sys [2003-03-21 21:26]
S2 LogWatch;Event Log Watch;C:\CA_LIC\LogWatNT.exe [2005-02-23 16:26]
S2 RCManClient;RCManClient;C:\sysmgt\tngrco\RCManClient.exe [2003-03-21 20:51]
S2 RCOService;Unicenter TNG RCO;C:\sysmgt\tngrco\RCOService.exe [2003-03-21 21:23]
S3 CA_LIC_CLNT;CA-License Client;"C:\CA_LIC\\lic98rmt.exe" [2005-03-23 14:47]
S3 CA_LIC_SRVR;CA-License Server;"C:\CA_LIC\\lic98rmtd.exe" [2005-03-23 14:46]
S3 cmusbnet;WAN Driver @ 3GPP (6280);C:\WINDOWS\System32\DRIVERS\cmusbnet.sys [2006-11-23 15:03]
S3 cmusbser;%CMUSBSER%;C:\WINDOWS\System32\DRIVERS\cmusbser.sys [2006-12-13 17:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 05:45:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 22:59:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Maximizer\MaxExchange\MaxExComHTTP.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-04-20 23:01:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 13:01:49
ComboFix2.txt 2008-04-20 10:22:15

Pre-Run: 49,840,999,936 bytes free
Post-Run: 49,828,882,944 bytes free

190

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:03, on 2008-04-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Reader\reader_sl.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MaxExchange\Spdm.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe
C:\Program Files\Maximizer\MaxExchange\MaxExComHTTP.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\jmaho\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.nt.gov.au/ntgproxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Editor plugin - {609133AE-C65D-43cf-8F8E-4DE2684F427F} - fowlr.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [RRSLocal] c:\SYSMGT\localise\localise.exe /s
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [UAM] C:\SYSMGT\TNGAM\Agents\UMCLIWNT.EXE US /EXTDEBUG /SILENT
O4 - HKLM\..\Run: [MiniMax] C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BM43c701d6] Rundll32.exe "C:\WINDOWS\System32\gcqjrbfm.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxExchange Remote.lnk = C:\Program Files\Maximizer\MaxExchange\Spdm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\bin\w3dbsmgr.exe
O4 - Global Startup: Telstra Turbo Modem Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206156670265
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\Software\..\Telephony: DomainName = prod.main.ntgov
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A583F3C-1211-43E5-9FCF-F154FDBEAB47}: NameServer = 155.205.50.3,155.205.7.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O20 - Winlogon Notify: cbxywvwt - cbxywvwt.dll (file missing)
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: CA-License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmtd.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: RCManClient - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCManClient.exe
O23 - Service: Unicenter TNG RCO (RCOService) - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCOService.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE

--
End of file - 7782 bytes

#8 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 20 April 2008 - 08:03 AM

I just reread your post and realised I need to let you know this. I can't do an OS reinstallation because this is my girlfriends work computer and we don't the required admin level. I'm happy to give it a go cleaning it as best as possible for the moment and I'll convince her to have one of her work technicians format do the reinstallation.

#9 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 20 April 2008 - 08:08 AM

Hi,

So we can finish cleaning this machine?

#10 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 20 April 2008 - 08:52 AM

Yes please.

Thanks again for the help so far.

#11 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 20 April 2008 - 09:59 AM

Hello :thumbsup:

Open HijackThis, Click Do a system scan only, checkmark this. Then close all other windows except HijackThis and press fix checked.

O2 - BHO: Editor plugin - {609133AE-C65D-43cf-8F8E-4DE2684F427F} - fowlr.dll (file missing)
O4 - HKLM\..\Run: [BM43c701d6] Rundll32.exe "C:\WINDOWS\System32\gcqjrbfm.dll",s
O20 - Winlogon Notify: cbxywvwt - cbxywvwt.dll (file missing)

___________

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
___________

Post:
- A fresh HijackThis log
- Logfile of MBAM

#12 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 20 April 2008 - 11:31 AM

Done :thumbsup:

here are the logs (MBAM first then HJT):

Malwarebytes' Anti-Malware 1.11
Database version: 662

Scan type: Quick Scan
Objects scanned: 33985
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 18
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WINCTL32.DLL (Dialer) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3d87b50d-542a-45b6-96e9-f03cfaa8c962} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{3d87b50d-542a-45b6-96e9-f03cfaa8c962} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ceb9c60d-f0ad-4b73-a3ab-4fc822e38d66} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ceb9c60d-f0ad-4b73-a3ab-4fc822e38d66} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1601d447-7424-4866-8dcc-acf98a2a41e1} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c3c0ec2c-2c1c-495c-9ad0-1f0ef833d7b5} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mySearchAssistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MySidesearch (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xcsDd01 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINCTL32.DLL (Dialer) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:35, on 2008-04-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Lotus\Notes\ntmulti.exe
C:\sysmgt\tngrco\rp32u.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Reader\reader_sl.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Application\ModemManager.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\IOMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Application\QMICM.exe
C:\Documents and Settings\jmaho\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.nt.gov.au/ntgproxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [RRSLocal] c:\SYSMGT\localise\localise.exe /s
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [UAM] C:\SYSMGT\TNGAM\Agents\UMCLIWNT.EXE US /EXTDEBUG /SILENT
O4 - HKLM\..\Run: [MiniMax] C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxExchange Remote.lnk = C:\Program Files\Maximizer\MaxExchange\Spdm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\bin\w3dbsmgr.exe
O4 - Global Startup: Telstra Turbo Modem Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206156670265
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\Software\..\Telephony: DomainName = prod.main.ntgov
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A583F3C-1211-43E5-9FCF-F154FDBEAB47}: NameServer = 155.205.50.3,155.205.7.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: CA-License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmtd.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: RCManClient - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCManClient.exe
O23 - Service: Unicenter TNG RCO (RCOService) - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCOService.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE

--
End of file - 7785 bytes

#13 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 20 April 2008 - 11:39 AM

Hello :thumbsup:

On restart now the following message pops up

Spdm.exe - Unable to locate component

This application has failed to start because WINCTL32.dll was not found. Reinstalling the application may fix this problem.


From what I can see, this executable file belongs to the program 'Maximiser' which is a legitimate installed program on this laptop.

anyway, not trying to do your job for you but thought it was important to mention

#14 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 20 April 2008 - 12:45 PM

Hello :thumbsup:

Open MBAM -> Click on quarantine (tab) -> Check this file WINCTL32.dll and click 'restore'.
________________

Kaspersky online scanner works only with Internet Explorer!

Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post:
- A fresh HijackThis log
- Kaspersky's report

#15 shandog24

shandog24
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 20 April 2008 - 04:54 PM

Done :thumbsup:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 21, 2008 7:59:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/04/2008
Kaspersky Anti-Virus database records: 717511
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
L:\
M:\

Scan Statistics:
Total number of scanned objects: 56149
Number of viruses found: 6
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 01:06:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\QuickTime\INSTALL.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QuickTime\QuickTimeFavorites.qtr Object is locked skipped
C:\Documents and Settings\jmaho\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\jmaho\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\jmaho\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\jmaho\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jmaho\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jmaho\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\jmaho\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbxywvwt.dll.vir Infected: Trojan.Win32.Agent.eek skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gcqjrbfm1.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iii.dll.vir Infected: Trojan.Win32.Agent.eek skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP85\A0051282.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP86\A0051303.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP86\A0051304.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP86\A0051331.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP86\A0051332.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP90\A0051673.dll Infected: Trojan.Win32.Agent.eek skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP90\A0051677.dll Infected: Trojan.Win32.Agent.eek skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP90\A0051680.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{3DE7442E-46DF-47EF-A88D-92A221213498}\RP90\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aaa Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wTmp\kmdmns2.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:00, on 2008-04-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Application\ModemManager.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\IOMgr.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Application\QMICM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\FireFox Portable\App\firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\jmaho\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uluru.nt.gov.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.nt.gov.au/ntgproxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [RRSLocal] c:\SYSMGT\localise\localise.exe /s
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [UAM] C:\SYSMGT\TNGAM\Agents\UMCLIWNT.EXE US /EXTDEBUG /SILENT
O4 - HKLM\..\Run: [MiniMax] C:\Program Files\MiniMax\Bin\CMTNF5500U.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxExchange Remote.lnk = C:\Program Files\Maximizer\MaxExchange\Spdm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\bin\w3dbsmgr.exe
O4 - Global Startup: Telstra Turbo Modem Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206156670265
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\Software\..\Telephony: DomainName = prod.main.ntgov
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A583F3C-1211-43E5-9FCF-F154FDBEAB47}: NameServer = 155.205.50.3,155.205.7.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.main.ntgov
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: CA-License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\\lic98rmtd.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: RCManClient - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCManClient.exe
O23 - Service: Unicenter TNG RCO (RCOService) - Computer Associates International, Inc. - C:\sysmgt\tngrco\RCOService.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\SYSMGT\TNGSD\BIN\SDSERV.EXE

--
End of file - 7852 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users