Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With This Hjt Log....


  • This topic is locked This topic is locked
16 replies to this topic

#1 koolford1

koolford1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 07 May 2008 - 02:25 PM

I had previously posted this request in the incorrect forum and wanted to provide a new log to coincide with a new topic. As per the mod's instructions, I dowloaded the DSS and ran the log. The log is as follows:


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-07 15:11:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:34 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.dealerconnection.com/...CommunityID=203
O2 - BHO: (no name) - {0CDE9101-4FAF-49DD-85A7-F0ED99CF1E5F} - C:\WINDOWS\system32\cbxvwxuu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {510bc1f4-86d5-73ca-8204-e7122fac7548} - {8457caf2-217e-4028-ac37-5d684f1cb015} - C:\WINDOWS\system32\iwdentwc.dll
O4 - HKLM\..\Run: [BM77696926] Rundll32.exe "C:\WINDOWS\system32\plpahlct.dll",s
O4 - HKLM\..\Run: [745a5aba] rundll32.exe "C:\WINDOWS\system32\ibuximtx.dll",b
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://207.185.87.130/apps/common/includes...ONFIG-CHECK.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O20 - Winlogon Notify: pmnlljgh - pmnlljgh.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe

--
End of file - 3431 bytes

-- Files created between 2008-04-07 and 2008-05-07 -----------------------------

2008-05-07 08:00:22 2112 --a------ C:\WINDOWS\system32\krcxiosp.exe
2008-05-07 08:00:18 106560 -----n--- C:\WINDOWS\system32\iwdentwc.dll
2008-05-07 07:57:39 96832 -----n--- C:\WINDOWS\system32\ibuximtx.dll
2008-05-07 07:54:17 105024 -----n--- C:\WINDOWS\system32\plpahlct.dll
2008-05-07 07:48:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-05-06 16:59:09 426334 --ahs---- C:\WINDOWS\system32\uuxwvxbc.ini2
2008-05-06 13:33:50 0 d-------- C:\kav
2008-05-06 13:03:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 13:03:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 07:51:30 107584 -----n--- C:\WINDOWS\system32\vkgkqofv.dll
2008-05-05 07:49:09 96832 -----n--- C:\WINDOWS\system32\ptmkrmcd.dll
2008-05-05 07:49:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-05-05 07:48:58 104000 -----n--- C:\WINDOWS\system32\mhtpyunn.dll
2008-04-30 16:22:00 0 d-------- C:\Program Files\Trend Micro
2008-04-30 07:46:16 104512 -----n--- C:\WINDOWS\system32\xnmgxxbi.dll
2008-04-29 16:44:40 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-04-29 16:44:27 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 15:15:15 0 d-------- C:\Program Files\MalwareAlarm
2008-04-29 07:46:18 104512 -----n--- C:\WINDOWS\system32\iobwnhia.dll
2008-04-18 10:37:49 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-04-18 08:45:20 0 d-------- C:\Program Files\Lavasoft
2008-04-18 08:45:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:44:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-16 17:21:40 109163 --a------ C:\WINDOWS\system32\hrbgcbtf.dll
2008-04-16 17:20:33 105642 --a------ C:\WINDOWS\system32\vseqjwcl.dll
2008-04-16 17:15:07 393677 -----n--- C:\WINDOWS\system32\cbxvwxuu.dll
2008-04-16 17:09:53 0 d-------- C:\WINDOWS\system32\xcsDd01


-- Find3M Report ---------------------------------------------------------------

2008-04-30 16:57:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-30 16:56:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-30 09:19:53 0 d-------- C:\Program Files\Digital Line Detect
2008-04-30 09:19:47 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-30 07:28:58 0 d-------- C:\Program Files\Symantec
2008-04-29 16:44:52 0 d-------- C:\Program Files\BillP Studios
2008-04-18 15:58:05 0 d-------- C:\Program Files\Network Associates
2008-04-18 08:44:42 0 d-------- C:\Program Files\Common Files
2008-04-14 09:11:02 36864 --a------ C:\WINDOWS\system32\FM20ENU.DLL <Not Verified; Microsoft Corporation; Microsoft® Forms>
2008-04-02 16:13:58 0 d-------- C:\Program Files\FDIS
2008-04-02 11:48:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ford Digital Imaging
2008-04-02 11:47:24 0 d-------- C:\Program Files\Java
2008-04-02 10:45:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 10:40:57 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-15 09:07:44 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CDE9101-4FAF-49DD-85A7-F0ED99CF1E5F}]
04/16/2008 05:15 PM 393677 --------- C:\WINDOWS\system32\cbxvwxuu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8457caf2-217e-4028-ac37-5d684f1cb015}]
05/07/2008 08:00 AM 106560 --------- C:\WINDOWS\system32\iwdentwc.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{81705D67-3F73-4983-859B-97D0922E5ABE}"= C:\Program Files\Video Add-on\ictmdl.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{81705D67-3F73-4983-859B-97D0922E5ABE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM77696926"="C:\WINDOWS\system32\plpahlct.dll" [05/07/2008 07:54 AM]
"745a5aba"="C:\WINDOWS\system32\ibuximtx.dll" [05/07/2008 07:57 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\pmnlljgh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 11/01/2004 01:50 PM 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlljgh]
pmnlljgh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\cbxvwxuu

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-05-07 15:12:18 ------------



Thanks in advance to any input------the rickster

BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 10 May 2008 - 04:11 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

You have not provided me with a lot of information? This looks like Vundo and I think you are hacked by Ukrainians: http://whois.domaintools.com/85.255.115.106

If you still need help, please do this:

1) Review the instructions posted above and pinned to the top of the forum.

2) Tell me about your problem, symptoms, error message? Post those "word for word"

3) Since the junk can download more, I suggest you stay offline except when troubleshooting until you are clean. This will also stop the hackers access.

4) A few days have past since your first post and malware can change quickly, post a new HJT log using Add Reply.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 07:05 AM

Thanks for the reply. My issue is def Malware. Pop-ups and redirects whenever IE is opened. Trend-micro scans will identify viruses, but not eliminate them. Win patrol shows some suspicious programs but is unable to remove them as well. I ran McAfee in safe mode, and it will not identify any viruses.

Here is my latest HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:26 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.dealerconnection.com/...CommunityID=203
O4 - HKLM\..\Run: [745a5aba] rundll32.exe "C:\WINDOWS\system32\nsjatdbp.dll",b
O4 - HKLM\..\Run: [BM77696926] Rundll32.exe "C:\WINDOWS\system32\weinpxcc.dll",s
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://207.185.87.130/apps/common/includes...ONFIG-CHECK.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe

--
End of file - 2969 bytes

Thanks....rick

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 07:33 AM

Hi Rick, thanks for returning your HJT log and the feedback. Items are missing from this HJT log that were in the last one? If you are using HJT or another program to remove stuff, please do not. I need to see everything.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy. If this works for you, proceed like this and in the numbered order.

1) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT.exe, call it koolford1.exe, that will work. Hackers hide their junk from HJT and after a restart we may be able to see the infection.

2) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log.

(wait until you finish to post reports and logs)

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the report from Fixwareout, the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 08:20 AM

Thanks again for the speedy reply. I have not attempted to remove anything, but I did rename the file as per your instructions.

here is the combo-fix log:


ComboFix 08-05-11.1 - Administrator 2008-05-12 8:56:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.546 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Video Add-on
C:\Program Files\Video Add-on\ot.ico
C:\Program Files\Video Add-on\ts.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\auiduuvc.ini
C:\WINDOWS\system32\bsffejhv.dll
C:\WINDOWS\system32\bwkgdnct.dll
C:\WINDOWS\system32\caxhjmfh.ini
C:\WINDOWS\system32\cbxvwxuu.dll
C:\WINDOWS\system32\ecqhnfie.dll
C:\WINDOWS\system32\hiyxbwcx.dll
C:\WINDOWS\system32\hrbgcbtf.dll
C:\WINDOWS\system32\iaasmtbl.dll
C:\WINDOWS\system32\iobwnhia.dll
C:\WINDOWS\system32\iwdentwc.dll
C:\WINDOWS\system32\jdilwlpq.dll
C:\WINDOWS\system32\lpolmure.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhtpyunn.dll
C:\WINDOWS\system32\oxnfsdap.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\padsfnxo.ini
C:\WINDOWS\system32\pbdtajsn.ini
C:\WINDOWS\system32\plpahlct.dll
C:\WINDOWS\system32\ptmkrmcd.dll
C:\WINDOWS\system32\uupmqyji.dll
C:\WINDOWS\system32\uuxwvxbc.ini
C:\WINDOWS\system32\uuxwvxbc.ini2
C:\WINDOWS\system32\vdrntkir.dll
C:\WINDOWS\system32\vkgkqofv.dll
C:\WINDOWS\system32\vnmkvpmh.dll
C:\WINDOWS\system32\vseqjwcl.dll
C:\WINDOWS\system32\weinpxcc.dll
C:\WINDOWS\system32\xnmgxxbi.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 08:01 . 2008-05-12 08:01 2,112 --a------ C:\WINDOWS\system32\jprgkqsa.exe
2008-05-11 08:00 . 2008-05-11 08:00 2,112 --a------ C:\WINDOWS\system32\geuvlmvy.exe
2008-05-10 08:00 . 2008-05-10 08:00 2,112 --a------ C:\WINDOWS\system32\nocbdvrs.exe
2008-05-09 07:57 . 2008-05-09 07:57 2,112 --a------ C:\WINDOWS\system32\ebqwgiuh.exe
2008-05-08 13:18 . 2008-05-08 13:18 2,112 --a------ C:\WINDOWS\system32\piiknjwh.exe
2008-05-07 08:00 . 2008-05-07 08:00 2,112 --a------ C:\WINDOWS\system32\krcxiosp.exe
2008-05-07 07:48 . 2008-05-07 07:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-05-06 13:43 . 2008-05-06 13:43 <DIR> d-------- C:\Deckard
2008-05-06 13:33 . 2008-05-07 08:40 <DIR> d-------- C:\kav
2008-05-06 13:03 . 2008-05-06 13:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 13:03 . 2008-05-06 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 07:49 . 2008-05-07 10:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-05-01 11:48 . 2008-04-18 10:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-30 17:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 17:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 16:22 . 2008-04-30 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 16:44 . 2008-04-29 16:44 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 16:44 . 1998-02-06 23:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-04-29 15:15 . 2008-04-30 10:17 <DIR> d-------- C:\Program Files\MalwareAlarm
2008-04-21 07:50 . 2008-05-12 07:54 109,709 --a------ C:\WINDOWS\BM77696926.xml
2008-04-18 10:37 . 2008-05-02 15:58 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-04-18 08:45 . 2008-04-18 08:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-18 08:45 . 2008-04-18 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:44 . 2008-04-18 08:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 16:48 . 2008-04-30 08:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-04-17 16:48 . 2008-04-30 08:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-04-16 17:09 . 2008-04-16 17:21 <DIR> d-------- C:\WINDOWS\system32\xcsDd01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-30 20:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-30 13:19 --------- d-----w C:\Program Files\Digital Line Detect
2008-04-30 13:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-30 11:28 --------- d-----w C:\Program Files\Symantec
2008-04-29 20:44 --------- d-----w C:\Program Files\BillP Studios
2008-04-18 19:58 --------- d-----w C:\Program Files\Network Associates
2008-04-02 20:13 --------- d-----w C:\Program Files\FDIS
2008-04-02 15:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ford Digital Imaging
2008-04-02 15:47 --------- d-----w C:\Program Files\Java
2008-04-02 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 14:40 --------- d-----w C:\Program Files\Common Files\InstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{81705D67-3F73-4983-859B-97D0922E5ABE}"= C:\Program Files\Video Add-on\ictmdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{81705d67-3f73-4983-859b-97d0922e5abe}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 13:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlljgh]
pmnlljgh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"<NO NAME>"=
"C:\\Program Files\\Common Files\\supportsoft\\bin\\sprtlisten.exe"=
"C:\\Program Files\\Common Files\\supportsoft\\bin\\ssrc.exe"=
"C:\\Program Files\\sda\\bin\\sprtcmd.exe"=
"C:\\Program Files\\sda\\bin\\tgshell.exe"=
"C:\\Program Files\\sda\\bin\\tgsrvc.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\kav\\kav7\\setup.exe"=

R2 tgsrvc_sda;SupportSoft Repair Service (sda);C:\Program Files\sda\bin\tgsrvc.exe [2007-04-30 15:27]
S4 ProQuest Product License Manager;ProQuest Product License Manager;C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe [2006-11-20 10:37]
S4 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2007-11-05 10:48]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 14:00:17 C:\WINDOWS\Tasks\Digital Imaging Archive Cleaner.job"
- C:\Program Files\FDIS\tools\CLEANARCHIVE.vbs
"2008-05-12 11:43:53 C:\WINDOWS\Tasks\Digital_Imaging_Auto_Updates.job"
- C:\Program Files\FDIS\updater.ex
- C:\Program Files\FDIS\.SYSTEM<This is an automatic updating tool for Ford Digital Imaging
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 09:02:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-12 9:04:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 13:04:25

Pre-Run: 28,794,294,272 bytes free
Post-Run: 28,714,303,488 bytes free

160 --- E O F --- 2008-05-12 07:00:22


The other logs I ran were lost because I did not save them before I ran the combo fix. A stupid mistake on my part, but I'm in the process of trying to work on one computer and fix the other one, so it is kind of nuts around here this morning---my apologies.........rick

#6 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 08:36 AM

It is my suggestion that if you cannot concentrate completely on the repair of this computer, that you stop until you can.

I need to see the results of the Fixwareout report. I should be on your Desktop as: report.txt.
If it has been deleted, look here: C:\report.txt.
When you post it, also post the HJT log I request:

Post the report from Fixwareout, the combofix log and a new HJT log.


Thanks

Edited by pskelley, 12 May 2008 - 08:36 AM.
additional information

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 08:53 AM

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:53 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\koolford1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.dealerconnection.com/...CommunityID=203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://207.185.87.130/apps/common/includes...ONFIG-CHECK.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O20 - Winlogon Notify: pmnlljgh - pmnlljgh.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe

--
End of file - 3298 bytes



Fix-aware out log:



Username "Administrator" - 05/12/2008 9:09:42 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7541DC6C-3AA3-4D37-839B-AF133813107F}
"nameserver"="85.255.115.106,85.255.112.111" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Uniblue RegistryBooster 2"="C:\\Program Files\\Uniblue\\RegistryBooster 2\\RegistryBooster.exe /S"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


thanks...rick

#8 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 09:18 AM

See this: http://research.sunbelt-software.com/threa...threatid=100005

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Start > Control Panel > Add Remove programs and uninstall MalwareAlarm if there.

3) Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\jprgkqsa.exe
C:\WINDOWS\system32\geuvlmvy.exe
C:\WINDOWS\system32\nocbdvrs.exe
C:\WINDOWS\system32\ebqwgiuh.exe
C:\WINDOWS\system32\piiknjwh.exe
C:\WINDOWS\system32\krcxiosp.exe

Folder::
C:\Program Files\MalwareAlarm

Save this as CFScript

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O20 - Winlogon Notify: pmnlljgh - pmnlljgh.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log, a new HJT log and some feedback from you. How is the computer running now.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 10:55 AM

Here is the new combo-fix log:

ComboFix 08-05-11.1 - Administrator 2008-05-12 11:45:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.597 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ebqwgiuh.exe
C:\WINDOWS\system32\geuvlmvy.exe
C:\WINDOWS\system32\jprgkqsa.exe
C:\WINDOWS\system32\krcxiosp.exe
C:\WINDOWS\system32\nocbdvrs.exe
C:\WINDOWS\system32\piiknjwh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MalwareAlarm
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\Program Files\MalwareAlarm\Uninstall.exe
C:\WINDOWS\system32\ebqwgiuh.exe
C:\WINDOWS\system32\geuvlmvy.exe
C:\WINDOWS\system32\jprgkqsa.exe
C:\WINDOWS\system32\krcxiosp.exe
C:\WINDOWS\system32\nocbdvrs.exe
C:\WINDOWS\system32\piiknjwh.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-07 07:48 . 2008-05-07 07:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-05-06 13:43 . 2008-05-06 13:43 <DIR> d-------- C:\Deckard
2008-05-06 13:33 . 2008-05-07 08:40 <DIR> d-------- C:\kav
2008-05-06 13:03 . 2008-05-06 13:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 13:03 . 2008-05-06 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 07:49 . 2008-05-07 10:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-05-01 11:48 . 2008-04-18 10:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-30 17:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 17:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 16:22 . 2008-04-30 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 16:44 . 2008-04-29 16:44 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 16:44 . 1998-02-06 23:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-04-21 07:50 . 2008-05-12 07:54 109,709 --a------ C:\WINDOWS\BM77696926.xml
2008-04-18 10:37 . 2008-05-02 15:58 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-04-18 08:45 . 2008-04-18 08:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-18 08:45 . 2008-04-18 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:44 . 2008-04-18 08:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 16:48 . 2008-04-30 08:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-04-17 16:48 . 2008-04-30 08:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-04-16 17:09 . 2008-04-16 17:21 <DIR> d-------- C:\WINDOWS\system32\xcsDd01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-30 20:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-30 13:19 --------- d-----w C:\Program Files\Digital Line Detect
2008-04-30 13:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-30 11:28 --------- d-----w C:\Program Files\Symantec
2008-04-29 20:44 --------- d-----w C:\Program Files\BillP Studios
2008-04-18 19:58 --------- d-----w C:\Program Files\Network Associates
2008-04-14 13:11 36,864 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
2008-04-02 20:13 --------- d-----w C:\Program Files\FDIS
2008-04-02 15:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ford Digital Imaging
2008-04-02 15:47 --------- d-----w C:\Program Files\Java
2008-04-02 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 14:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_ 9.04.07.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 13:00:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 13:10:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{81705D67-3F73-4983-859B-97D0922E5ABE}"= C:\Program Files\Video Add-on\ictmdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{81705d67-3f73-4983-859b-97d0922e5abe}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 13:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlljgh]
pmnlljgh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"<NO NAME>"=
"C:\\Program Files\\Common Files\\supportsoft\\bin\\sprtlisten.exe"=
"C:\\Program Files\\Common Files\\supportsoft\\bin\\ssrc.exe"=
"C:\\Program Files\\sda\\bin\\sprtcmd.exe"=
"C:\\Program Files\\sda\\bin\\tgshell.exe"=
"C:\\Program Files\\sda\\bin\\tgsrvc.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\kav\\kav7\\setup.exe"=

R2 tgsrvc_sda;SupportSoft Repair Service (sda);C:\Program Files\sda\bin\tgsrvc.exe [2007-04-30 15:27]
S4 ProQuest Product License Manager;ProQuest Product License Manager;C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe [2006-11-20 10:37]
S4 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2007-11-05 10:48]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

*Newly Created Service* - CATCHME
*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 14:00:15 C:\WINDOWS\Tasks\Digital Imaging Archive Cleaner.job"
- C:\Program Files\FDIS\tools\CLEANARCHIVE.vbs
"2008-05-12 11:43:53 C:\WINDOWS\Tasks\Digital_Imaging_Auto_Updates.job"
- C:\Program Files\FDIS\updater.ex
- C:\Program Files\FDIS\.SYSTEM<This is an automatic updating tool for Ford Digital Imaging
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 11:46:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-12 11:47:18
ComboFix-quarantined-files.txt 2008-05-12 15:47:13
ComboFix2.txt 2008-05-12 13:04:30

Pre-Run: 28,709,269,504 bytes free
Post-Run: 28,700,532,736 bytes free

140 --- E O F --- 2008-05-12 07:00:22




The new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:35 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Documents and Settings\Administrator\Desktop\ATF-Cleaner.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\koolford1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.dealerconnection.com/...CommunityID=203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://207.185.87.130/apps/common/includes...ONFIG-CHECK.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O20 - Winlogon Notify: pmnlljgh - pmnlljgh.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe

--
End of file - 3345 bytes


I'll run another HJT scan and delete indicated files.....rick

#10 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 11:19 AM

Here is the combo-fix log:


ComboFix 08-05-11.1 - Administrator 2008-05-12 12:05:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-07 07:48 . 2008-05-07 07:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-05-06 13:43 . 2008-05-06 13:43 <DIR> d-------- C:\Deckard
2008-05-06 13:33 . 2008-05-07 08:40 <DIR> d-------- C:\kav
2008-05-06 13:03 . 2008-05-06 13:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 13:03 . 2008-05-06 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 07:49 . 2008-05-07 10:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-05-01 11:48 . 2008-04-18 10:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-30 17:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 17:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 16:22 . 2008-04-30 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 16:44 . 2008-04-29 16:44 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 16:44 . 1998-02-06 23:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-04-21 07:50 . 2008-05-12 07:54 109,709 --a------ C:\WINDOWS\BM77696926.xml
2008-04-18 10:37 . 2008-05-02 15:58 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-04-18 08:45 . 2008-04-18 08:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-18 08:45 . 2008-04-18 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:44 . 2008-04-18 08:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 16:48 . 2008-04-30 08:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-04-17 16:48 . 2008-04-30 08:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-04-16 17:09 . 2008-04-16 17:21 <DIR> d-------- C:\WINDOWS\system32\xcsDd01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-30 20:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-30 13:19 --------- d-----w C:\Program Files\Digital Line Detect
2008-04-30 13:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-30 11:28 --------- d-----w C:\Program Files\Symantec
2008-04-29 20:44 --------- d-----w C:\Program Files\BillP Studios
2008-04-18 19:58 --------- d-----w C:\Program Files\Network Associates
2008-04-14 13:11 36,864 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
2008-04-02 20:13 --------- d-----w C:\Program Files\FDIS
2008-04-02 15:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ford Digital Imaging
2008-04-02 15:47 --------- d-----w C:\Program Files\Java
2008-04-02 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 14:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_ 9.04.07.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 13:00:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 16:03:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{81705D67-3F73-4983-859B-97D0922E5ABE}"= C:\Program Files\Video Add-on\ictmdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{81705d67-3f73-4983-859b-97d0922e5abe}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 13:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"<NO NAME>"=
"C:\\Program Files\\Common Files\\supportsoft\\bin\\sprtlisten.exe"=
"C:\\Program Files\\Common Files\\supportsoft\\bin\\ssrc.exe"=
"C:\\Program Files\\sda\\bin\\sprtcmd.exe"=
"C:\\Program Files\\sda\\bin\\tgshell.exe"=
"C:\\Program Files\\sda\\bin\\tgsrvc.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\kav\\kav7\\setup.exe"=

R2 tgsrvc_sda;SupportSoft Repair Service (sda);C:\Program Files\sda\bin\tgsrvc.exe [2007-04-30 15:27]
S4 ProQuest Product License Manager;ProQuest Product License Manager;C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe [2006-11-20 10:37]
S4 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2007-11-05 10:48]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 14:00:15 C:\WINDOWS\Tasks\Digital Imaging Archive Cleaner.job"
- C:\Program Files\FDIS\tools\CLEANARCHIVE.vbs
"2008-05-12 11:43:53 C:\WINDOWS\Tasks\Digital_Imaging_Auto_Updates.job"
- C:\Program Files\FDIS\updater.ex
- C:\Program Files\FDIS\.SYSTEM<This is an automatic updating tool for Ford Digital Imaging
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 12:07:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-12 12:07:58
ComboFix-quarantined-files.txt 2008-05-12 16:07:53
ComboFix2.txt 2008-05-12 15:47:19
ComboFix3.txt 2008-05-12 13:04:30

Pre-Run: 28,720,971,776 bytes free
Post-Run: 28,703,707,136 bytes free

117 --- E O F --- 2008-05-12 07:00:22



New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:32 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\koolford1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.dealerconnection.com/...CommunityID=203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://207.185.87.130/apps/common/includes...ONFIG-CHECK.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe

--
End of file - 3269 bytes



Now as requested, my feedback on the computer itself:

The speed of the computer is the same or better than before infection, there are no more random pop-ups. I tried to do a search through Yahoo, ad redirect is still present. Searched on "s-video cable" and clicked on the first listing. Redirected to a "results Yahoo" page. Used browser to return to search results, and re-clicked listing, which worked the second time. Also, when restarting computer, a "new hardware found" box opens and states that harware is found. I used task manager to close and toolbar stated new harware install failed and may not be usable.

Thanks again for your assistance....rick

#11 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 11:56 AM

Are you sure you removed from HJT what I said to remove, leftovers from the hijack is still in the log.

Try this again:
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Restart, if the items are not gone, run Fixwareout again and try to remove them with HJT.

Once we are sure all of the malware is removed, we will see what can be done with other issues. If those lines are gone in the next HJT log, then see this:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

Posted Image

Posted Image

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#12 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 12:01 PM

When I did the scan, only 1 of the "hklm" files was there. i'll repeat the procedure, follow the rest of your instructions and post the log results....rick

#13 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 01:17 PM

Second attempt to remove notated files done. Re-checked with HJT, and just one item returned. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:31 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\koolford1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.dealerconnection.com/...CommunityID=203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://207.185.87.130/apps/common/includes...ONFIG-CHECK.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe

--
End of file - 3160 bytes


And in regards to the combo fix question, I do have the needed cd's, so I will not be downloading the application in the link...thanks...rick

#14 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 01:55 PM

OK Rick, I understand you do not need to install RC, but we must get that junk out of your HJT log. As I proceed, I want to suggest that you update to Internet Explorer 7 if only for the additional security it offers:
http://www.microsoft.com/windows/products/...ie/default.mspx

1) Please download FixWareout from one of these sites:
(unless you still have it)
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log.

(wait until you finish to post the report and log)

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7541DC6C-3AA3-4D37-839B-AF133813107F}: NameServer = 85.255.115.106,85.255.112.111

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Remove combofix and the C:\Qoobox\Quarantine\ folder from your computer.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with a new HJT log.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#15 koolford1

koolford1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 May 2008 - 04:16 PM

Ok. The scan did take a while, but it found some more problem areas. Here is the log:


KASPERSKY ONLINE SCANNER REPORT
Monday, May 12, 2008 5:10:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 682847


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 246888
Number of viruses found 13
Number of infected objects 78
Number of suspicious objects 0
Duration of the scan process 01:59:17

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\afmqfsfc.dll.bac_a01332 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\aqnbkrqa.dll.bac_a01332 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\axicwggu.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\cjqdxdnj.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\cpqccotr.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ctkkiiaw.dll.bac_a03568 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\eiqckaie.dll.bac_a02064 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\gdmfnroq.dll.bac_a03496 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\hatbbmxm.dll.bac_a02064 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\iobwnhia.dll.bac_a02064 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\jegadbpy.dll.bac_a03568 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\jmesqjxq.dll.bac_a03568 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\kqmuijdu.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\lmtdmols.dll.bac_a02064 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mcwjkkcd.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\meapyktj.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\pdwnihhb.dll.bac_a03496 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\qbdanmvp.dll.bac_a01232 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\skqosbju.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\skvbfeea.dll.bac_a01232 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\sorhvfhe.dll.bac_a03568 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\sucsdptn.dll.bac_a01232 Infected: Trojan.Win32.Monder.an skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\tmmptipx.dll.bac_a02064 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\vooqcmby.dll.bac_a02064 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xlgondyw.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xnmgxxbi.dll.bac_a01332 Infected: Trojan.Win32.Monder.an skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\yaielpok.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ybhmxejp.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ybjyuoli.dll.bac_a02064 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\yphrbcaq.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\yxjmmtym.dll.bac_a04084 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\afbxggqy.dll.bac_a05784 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\alugjkgh.dll.bac_a05784 Infected: Trojan.Win32.Monder.cz skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\ebmykjih.dll.bac_a05784 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\fpnuvcwv.dll.bac_a05784 Infected: Trojan.Win32.Monder.da skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\gmsdclen.dll.bac_a02188 Infected: Trojan.Win32.Monder.dd skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\ibuximtx.dll.bac_a02300 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\iwdentwc.dll.bac_a02300 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\kowrgirg.dll.bac_a05784 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\mhtpyunn.dll.bac_a05784 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\noslrdei.dll.bac_a05784 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\plpahlct.dll.bac_a02300 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\ptmkrmcd.dll.bac_a05784 Infected: Trojan.Win32.Monder.db skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\rvyoppfb.dll.bac_a02188 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\suiujloc.dll.bac_a02188 Infected: Trojan.Win32.Monder.dc skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\vkgkqofv.dll.bac_a05784 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\vqiatwff.dll.bac_a05784 Infected: Trojan.Win32.Monder.cy skipped

C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6\Backup\webinst.dll.bac_a05784 Infected: Trojan-Downloader.Win32.FraudLoad.tv skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008051220080513\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080512_Time-150431328_EnterceptExceptions.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080512_Time-150431328_EnterceptRules.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_D27T04B1.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_D27T04B1.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\bsffejhv.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\hiyxbwcx.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\hrbgcbtf.dll.vir Infected: Trojan.Win32.Zapchast.gc skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\iaasmtbl.dll.vir Infected: Trojan.Win32.Monder.de skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\iobwnhia.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\iwdentwc.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\lpolmure.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\mhtpyunn.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\plpahlct.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ptmkrmcd.dll.vir Infected: Trojan.Win32.Monder.db skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vkgkqofv.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vseqjwcl.dll.vir Infected: Trojan.Win32.Zapchast.gb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\xnmgxxbi.dll.vir Infected: Trojan.Win32.Monder.an skipped

C:\QooBox\Quarantine\catchme2008-05-12_ 85914.03.zip/cbxvwxuu.dll Infected: Trojan.Win32.Zapchast.gb skipped

C:\QooBox\Quarantine\catchme2008-05-12_ 85914.03.zip ZIP: infected - 1 skipped

C:\quarantine\Av-test.txt.Vir Object is locked skipped

C:\quarantine\Av-test.txt.Vir.0 Object is locked skipped

C:\quarantine\Av-test.txt.Vir.1 Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000213.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000216.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000217.dll Infected: Trojan.Win32.Zapchast.gc skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000218.dll Infected: Trojan.Win32.Monder.de skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000219.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000220.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000222.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000223.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000225.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000226.dll Infected: Trojan.Win32.Monder.db skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000229.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000231.dll Infected: Trojan.Win32.Zapchast.gb skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0000233.dll Infected: Trojan.Win32.Monder.an skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP11\change.log Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000107.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP9\A0000165.dll Infected: Trojan.Win32.Monder.df skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped


And here is the latest HJT log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:53 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\koolford1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.dealerconnection.com/...CommunityID=203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://207.185.87.130/apps/common/includes...ONFIG-CHECK.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - c:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe

--
End of file - 2987 bytes



I am off the clock at this point, but I'll be checking in first thing in the morning---8:00 am est. Thanks for all your help and effort, I really appreciate it. And I think progress is being made, so with that, I'll catch you in the A.M. ..........rick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users