Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Find What Is Causing Ie Popups


  • This topic is locked This topic is locked
4 replies to this topic

#1 Niteowl18

Niteowl18

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 29 April 2008 - 07:17 PM

I have a few problems with this computer. I was getting the following message "Your computer is infected! Windows has detected spyware infection. It is recommended to use special antispyware tools to prevent data loss."

I ran the SmitfraudFix file and it seemed to fix that problem.

But I still have a problem where i keep getting new IE windows sending me to different websites.

I am running Trend Micro Internet Security, but it doesn't find anything

Any help would be greatly apprectiated.

Deckard's System Scanner v20071014.68
Run by cathy carey on 2008-04-29 18:57:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as cathy carey.exe) -----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-29 18:57:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Documents and Settings\cathy carey\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {113BFC42-32A9-645B-FEBC-14A392F9F9BE} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: (no name) - {7BF67814-05C0-4175-8201-2A8BDAF0B259} - (no file)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {BF22666E-B067-4F4B-8155-1184277FE97B} - \
O2 - BHO: (no name) - {F8D7C038-5FFE-4998-913C-189C71782E18} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201109571687
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://ts.dls.net/msrdp.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: ssqqpnn - C:\WINDOWS\system32\ssqqpnn.dll (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\SYSTEM32\dlbtcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe


--
End of file - 6206 bytes

-- Files created between 2008-03-29 and 2008-04-29 -----------------------------

2008-04-29 18:01:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 18:01:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 17:28:15 0 dr-h----- C:\Documents and Settings\cathy carey\Recent
2008-04-29 17:20:49 0 d-------- C:\Program Files\CCleaner
2008-04-29 16:49:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-29 16:25:37 3454 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-29 14:10:48 0 d-------- C:\Documents and Settings\cathy carey\Application Data\AVGTOOLBAR
2008-04-22 14:16:04 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-16 08:38:37 13824 --a------ C:\NJnQ.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-29 17:08:18 0 d-------- C:\Program Files\Common Files
2008-04-29 17:00:05 0 d-------- C:\Program Files\MUSICMATCH
2008-04-29 16:57:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-17 06:55:49 0 --a------ C:\Documents and Settings\cathy carey\Application Data\88D7456F-2D0E-40AA-BDBC-7BC292A1FF1A_CONFIRM.cache
2008-04-16 08:43:06 33 --a------ C:\Documents and Settings\cathy carey\Application Data\install.ini
2008-03-01 13:48:33 0 d-------- C:\Program Files\Temporary


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{113BFC42-32A9-645B-FEBC-14A392F9F9BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BF67814-05C0-4175-8201-2A8BDAF0B259}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF22666E-B067-4F4B-8155-1184277FE97B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8D7C038-5FFE-4998-913C-189C71782E18}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 05:59 AM C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 02:04 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 08:47 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/27/2004 02:03 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 02:01 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [11/10/2004 02:36 PM]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [11/09/2004 06:41 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [11/04/2006 09:26 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [12/16/2007 07:30 PM]

C:\Documents and Settings\cathy carey\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 2:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 2:36:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]
C:\WINDOWS\system32\awtqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqpnn]
ssqqpnn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-29 18:58:44 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 509.98 MiB / 174.74 MiB
Pagefile Memory (total/avail): 1246.59 MiB / 948.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.58 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 26.49 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400EB-75CPF0 - 37.27 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.24 GiB - C:

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 30 April 2008 - 11:55 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Please post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Niteowl18

Niteowl18
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 30 April 2008 - 11:25 PM

Thanks for working on this with me. So far after I ran combofix, I don't have anymore popups.


Here is the Log from the combofix and at the bottom is a new HijackThis Log

ComboFix 08-04-29.5 - cathy carey 2008-04-30 13:05:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.115 [GMT -5:00]
Running from: C:\Documents and Settings\cathy carey\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\cathy carey\Application Data\DOBE~1
C:\Documents and Settings\cathy carey\g2mdlhlpx.exe
C:\Program Files\Common Files\scurit~1
C:\Program Files\sks~1
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\tn3
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\SYSTEM32\oqtwa.bak1
C:\WINDOWS\SYSTEM32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\v8

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE
-------\Legacy_TNIDRIVER
-------\Service_core
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-29 18:30 . 2008-04-29 18:30 <DIR> d-------- C:\Deckard
2008-04-29 18:01 . 2008-04-29 18:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-29 18:01 . 2008-04-29 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-04-29 17:20 . 2008-04-29 17:20 <DIR> d-------- C:\Program Files\CCleaner
2008-04-29 16:49 . 2008-04-29 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg8
2008-04-29 16:25 . 2008-04-29 16:25 3,454 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-29 14:10 . 2008-04-29 15:57 <DIR> d-------- C:\Documents and Settings\cathy carey\Application Data\AVGTOOLBAR
2008-04-29 14:10 . 2008-04-29 15:57 <DIR> d-------- C:\DOCUME~1\CATHYC~1\APPLIC~1\AVGTOOLBAR
2008-04-22 14:16 . 2008-04-22 14:16 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-16 08:38 . 2008-04-16 08:38 13,824 --a------ C:\NJnQ.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 22:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft
2008-04-29 22:00 --------- d-----w C:\Program Files\MUSICMATCH
2008-04-29 21:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 00:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 00:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 23:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-01-23 17:42 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{113BFC42-32A9-645B-FEBC-14A392F9F9BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BF67814-05C0-4175-8201-2A8BDAF0B259}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF22666E-B067-4F4B-8155-1184277FE97B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8D7C038-5FFE-4998-913C-189C71782E18}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-11-04 21:26 1003520]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 19:30 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-27 02:03 151597]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 18:41 69632]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]
C:\WINDOWS\system32\awtqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqpnn]
ssqqpnn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-20 02:34]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 13:12:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-30 13:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 18:17:26

Pre-Run: 28,419,555,328 bytes free
Post-Run: 28,410,560,512 bytes free

150 --- E O F --- 2008-04-09 08:06:06




Here is a new Hijack Log:

ComboFix 08-04-29.5 - cathy carey 2008-04-30 13:05:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.115 [GMT -5:00]
Running from: C:\Documents and Settings\cathy carey\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\cathy carey\Application Data\DOBE~1
C:\Documents and Settings\cathy carey\g2mdlhlpx.exe
C:\Program Files\Common Files\scurit~1
C:\Program Files\sks~1
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\tn3
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\SYSTEM32\oqtwa.bak1
C:\WINDOWS\SYSTEM32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\v8

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE
-------\Legacy_TNIDRIVER
-------\Service_core
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-29 18:30 . 2008-04-29 18:30 <DIR> d-------- C:\Deckard
2008-04-29 18:01 . 2008-04-29 18:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-29 18:01 . 2008-04-29 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-04-29 17:20 . 2008-04-29 17:20 <DIR> d-------- C:\Program Files\CCleaner
2008-04-29 16:49 . 2008-04-29 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg8
2008-04-29 16:25 . 2008-04-29 16:25 3,454 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-29 14:10 . 2008-04-29 15:57 <DIR> d-------- C:\Documents and Settings\cathy carey\Application Data\AVGTOOLBAR
2008-04-29 14:10 . 2008-04-29 15:57 <DIR> d-------- C:\DOCUME~1\CATHYC~1\APPLIC~1\AVGTOOLBAR
2008-04-22 14:16 . 2008-04-22 14:16 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-16 08:38 . 2008-04-16 08:38 13,824 --a------ C:\NJnQ.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 22:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft
2008-04-29 22:00 --------- d-----w C:\Program Files\MUSICMATCH
2008-04-29 21:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 00:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 00:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 23:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-01-23 17:42 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{113BFC42-32A9-645B-FEBC-14A392F9F9BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BF67814-05C0-4175-8201-2A8BDAF0B259}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF22666E-B067-4F4B-8155-1184277FE97B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8D7C038-5FFE-4998-913C-189C71782E18}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-11-04 21:26 1003520]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 19:30 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-27 02:03 151597]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 18:41 69632]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]
C:\WINDOWS\system32\awtqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqpnn]
ssqqpnn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-20 02:34]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 13:12:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-30 13:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 18:17:26

Pre-Run: 28,419,555,328 bytes free
Post-Run: 28,410,560,512 bytes free

150 --- E O F --- 2008-04-09 08:06:06

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 02 May 2008 - 04:19 PM

I'm glad to hear that things are starting to look better, we do have some more that needs removing too, though.
Before we continue, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 25 May 2008 - 03:27 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users