Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispywaremaster Infection And Possibly More!


  • This topic is locked This topic is locked
6 replies to this topic

#1 xunkn0vvnx

xunkn0vvnx

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 17 June 2008 - 09:31 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:03 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\blp\API\OFFICE~1\Bloomberg.UIServer.exe
C:\blp\API\OFFICE~1\Bloomberg.RtdServer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\mslatest_updt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BM0b257f0c] Rundll32.exe "C:\WINDOWS\system32\tkgaenwq.dll",s
O4 - HKLM\..\Run: [08164c90] rundll32.exe "C:\WINDOWS\system32\sdtbpyfy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CLRHost] C:\blp\API\OFFICE~1\bbxlcmd.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8637 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:12 PM

Posted 17 June 2008 - 02:54 PM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 xunkn0vvnx

xunkn0vvnx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 17 June 2008 - 06:19 PM

ComboFix 08-06-16.5 - Jeff 2008-06-17 16:08:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1362 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM0b257f0c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acKlSvut.ini
C:\WINDOWS\system32\acKlSvut.ini2
C:\WINDOWS\system32\edgfdsbu.dll
C:\WINDOWS\system32\efcDVmlI.dll
C:\WINDOWS\system32\ehiiQqss.ini
C:\WINDOWS\system32\ehiiQqss.ini2
C:\WINDOWS\system32\fvoijiro.dll
C:\WINDOWS\system32\ixynyrkk.dll
C:\WINDOWS\system32\mrjqqecu.dll
C:\WINDOWS\system32\mvsifopb.dll
C:\WINDOWS\system32\ndglckgk.ini
C:\WINDOWS\system32\nsghhwkb.dll
C:\WINDOWS\system32\pxqymamh.ini
C:\WINDOWS\system32\rqqyjrrg.dll
C:\WINDOWS\system32\rqubkeig.dll
C:\WINDOWS\system32\ryrnebld.ini
C:\WINDOWS\system32\sdtbpyfy.dll
C:\WINDOWS\system32\tkgaenwq.dll
C:\WINDOWS\system32\tuvSlKca.dll
C:\WINDOWS\system32\uceqqjrm.ini
C:\WINDOWS\system32\wwerjxsu.ini
C:\WINDOWS\system32\xfpidhfa.dll
C:\WINDOWS\system32\yfypbtds.ini
C:\WINDOWS\system32\ynpusfqc.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 15:30 . 2008-06-17 15:30 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-17 08:57 . 2008-06-17 08:57 <DIR> d-------- C:\Job Search
2008-06-17 07:43 . 2008-06-17 07:43 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-16 23:52 . 2008-06-16 23:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 22:53 . 2008-06-16 22:53 <DIR> d-------- C:\WINDOWS\Sun
2008-06-16 22:41 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 22:40 . 2008-06-16 22:41 <DIR> d-------- C:\Program Files\Java
2008-06-16 22:39 . 2008-06-16 22:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-16 17:13 . 2008-06-16 17:17 <DIR> d-------- C:\Program Files\Google
2008-06-16 17:13 . 2008-06-16 23:04 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-06-15 16:45 . 2008-06-15 16:45 <DIR> d-------- C:\22bdd4e95071ca9808c695
2008-06-15 16:29 . 2008-06-15 16:29 <DIR> d-------- C:\Documents and Settings\Techie\Application Data\Nero
2008-06-15 16:29 . 2001-08-17 12:19 40,704 --a------ C:\WINDOWS\system32\drivers\es1371mp.sys
2008-06-15 16:29 . 2001-08-17 12:19 40,704 --a--c--- C:\WINDOWS\system32\dllcache\es1371mp.sys
2008-06-15 05:13 . 2008-06-15 05:13 <DIR> d-------- C:\temp\ext18866
2008-06-15 05:13 . 2008-06-15 05:13 <DIR> d-------- C:\temp
2008-06-15 05:13 . 2008-06-15 05:13 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-14 16:24 . 2008-06-14 16:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe Systems
2008-06-14 16:23 . 2008-06-14 16:23 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-14 15:20 . 2008-06-14 15:20 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-06-14 15:17 . 2008-06-14 15:17 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Nero
2008-06-14 15:09 . 2008-06-14 15:09 <DIR> d-------- C:\Program Files\Nero
2008-06-14 15:09 . 2008-06-14 15:11 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-06-14 15:09 . 2008-06-14 15:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-06-13 13:35 . 2008-06-17 08:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Bloomberg
2008-06-13 12:46 . 2008-06-13 12:46 <DIR> d--h----- C:\BJPrinter
2008-06-13 12:46 . 2001-08-07 05:00 94,720 --a------ C:\WINDOWS\system32\CNMLM3e.DLL
2008-06-13 12:46 . 2001-08-01 15:46 36,864 --a------ C:\WINDOWS\system32\CNMCP3E.EXE
2008-06-13 12:46 . 2001-08-07 05:00 5,632 --a------ C:\WINDOWS\system32\CNMVS3e.DLL
2008-06-13 11:44 . 2008-06-13 11:51 <DIR> d-------- C:\blp
2008-06-13 11:16 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-13 11:16 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-06-12 00:34 . 2008-06-12 00:34 <DIR> d-------- C:\Techie
2008-06-12 00:34 . 2008-06-12 00:34 <DIR> d-------- C:\TechGoGreen
2008-06-12 00:34 . 2008-06-12 00:34 <DIR> d-------- C:\Reylesnis
2008-06-12 00:34 . 2008-06-13 14:19 <DIR> d-------- C:\Real Estate
2008-06-12 00:34 . 2008-06-17 15:48 <DIR> d-------- C:\Manila Thrilla
2008-06-12 00:34 . 2008-06-12 00:34 <DIR> d-------- C:\Maganis Wealth Management
2008-06-12 00:21 . 2008-06-14 14:58 <DIR> d-------- C:\Jeffs Stuff
2008-06-12 00:19 . 2008-06-12 00:20 <DIR> d-------- C:\JCM First Venture
2008-06-12 00:15 . 2008-06-13 11:27 <DIR> d-------- C:\Ebay - Craigslist
2008-06-12 00:15 . 2008-06-12 00:19 <DIR> d-------- C:\8525 Backup
2008-06-12 00:14 . 2008-06-12 01:17 <DIR> d-------- C:\Digital Camera Pictures
2008-06-11 19:18 . 2008-06-11 19:18 <DIR> d-------- C:\Program Files\MSBuild
2008-06-11 19:18 . 2008-06-11 19:18 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-11 19:16 . 2008-06-11 19:16 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-11 19:13 . 2008-06-11 19:13 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-06-11 19:12 . 2008-06-11 19:17 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-11 19:11 . 2008-06-11 19:11 <DIR> dr-h----- C:\MSOCache
2008-06-11 18:50 . 2008-06-11 18:50 <DIR> d-------- C:\Documents and Settings\Techie\Application Data\Windows Desktop Search
2008-06-11 16:12 . 2008-06-11 16:12 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-11 15:57 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-11 15:54 . 2008-06-17 15:35 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-06-11 15:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-11 15:19 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-11 15:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-11 13:58 . 2008-06-17 14:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-11 13:48 . 2008-06-11 13:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-06-11 13:18 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-06-11 13:06 . 2008-06-12 23:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-06-11 13:03 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-11 13:03 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-11 13:03 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-11 13:03 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-11 13:03 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-11 13:03 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-11 13:03 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-11 13:03 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-11 13:03 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-11 02:43 . 2008-06-11 02:43 <DIR> d-------- C:\Program Files\Soulseek
2008-06-11 02:40 . 2008-06-17 16:05 <DIR> d-------- C:\Downloads
2008-06-11 02:38 . 2008-06-11 02:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-11 02:38 . 2008-06-11 02:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-11 02:37 . 2008-06-16 08:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-11 02:37 . 2008-06-11 02:37 <DIR> d-------- C:\Program Files\AVG
2008-06-11 02:37 . 2008-06-11 02:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-06-11 02:37 . 2008-06-11 02:37 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-11 02:35 . 2008-06-11 02:35 <DIR> d-------- C:\Program Files\uTorrent
2008-06-11 02:35 . 2008-06-16 11:22 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\uTorrent
2008-06-11 02:33 . 2008-06-11 02:33 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-11 02:33 . 2005-10-20 18:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-06-11 02:33 . 2005-10-20 18:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-06-11 02:29 . 2008-06-11 02:29 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software
2008-06-11 02:29 . 2008-06-11 02:34 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-06-11 02:29 . 2008-06-11 02:29 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Intuit
2008-06-11 02:29 . 2007-07-26 17:13 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2008-06-11 02:29 . 2007-07-26 17:13 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2008-06-11 02:28 . 2008-06-11 02:35 <DIR> d-------- C:\Program Files\Quicken
2008-06-11 02:28 . 2008-06-11 02:28 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-06-11 02:28 . 2008-06-11 02:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Intuit
2008-06-11 02:28 . 2008-06-11 02:37 165 --a------ C:\WINDOWS\QUICKEN.INI
2008-06-11 02:19 . 2008-06-11 02:19 <DIR> d-------- C:\Program Files\QuickTime
2008-06-11 02:19 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-06-11 02:19 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-06-11 02:11 . 2008-06-11 02:11 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-11 02:08 . 2008-06-17 15:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-06-11 02:08 . 2008-06-11 02:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\acccore
2008-06-11 02:07 . 2008-06-11 02:07 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-11 02:07 . 2008-06-11 02:08 <DIR> d-------- C:\Program Files\AIM6
2008-06-11 02:07 . 2008-06-11 02:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL OCP
2008-06-11 02:07 . 2008-06-11 02:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-06-11 02:06 . 2008-06-14 16:19 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-11 02:06 . 2008-06-11 02:08 427 --ah----- C:\IPH.PH
2008-06-11 02:03 . 2008-06-11 02:03 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-11 02:02 . 2008-06-11 02:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-11 02:02 . 2008-06-11 02:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-11 01:58 . 2008-06-11 01:58 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-11 01:57 . 2008-06-11 01:57 <DIR> d-------- C:\Program Files\ScottradeELITE
2008-06-11 01:56 . 2008-06-11 01:56 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Microsoft Web Folders
2008-06-10 17:51 . 2008-06-10 17:51 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\atitray
2008-06-10 17:18 . 2008-06-10 17:18 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\ATI
2008-06-10 15:58 . 2008-06-11 15:09 56,488 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-10 15:24 . 2008-06-10 15:24 <DIR> d-------- C:\Documents and Settings\Techie\Application Data\atitray
2008-06-10 15:23 . 2008-06-10 15:23 <DIR> d-------- C:\Program Files\Ray Adams
2008-06-10 15:20 . 2008-06-10 15:20 <DIR> d-------- C:\Documents and Settings\Techie\Application Data\ATI
2008-06-10 15:16 . 2008-06-10 17:53 <DIR> d-------- C:\Program Files\ATI Technologies
2008-06-10 15:16 . 2008-05-12 10:49 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-06-10 15:15 . 2008-06-10 15:15 <DIR> d-------- C:\ATI
2008-06-10 15:12 . 2008-06-10 15:12 <DIR> d-------- C:\Program Files\Driver Cleaner Pro
2008-06-10 14:26 . 2006-12-11 21:02 16,768 --a------ C:\WINDOWS\system32\drivers\BS_I2cIo.sys
2008-06-10 14:26 . 2007-08-16 10:09 3,604 --a------ C:\WINDOWS\system32\drivers\BS_Flash.sys
2008-06-10 14:22 . 2008-06-10 14:22 <DIR> d-------- C:\Documents and Settings\Techie\Application Data\Apple Computer
2008-06-10 14:16 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 14:16 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 14:14 . 2008-06-10 14:14 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 08:55 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-12 16:30 3,007,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-12 15:56 397,312 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-12 15:54 305,152 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-05-12 15:53 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-05-12 15:45 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-05-12 15:45 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-05-12 15:45 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-05-12 15:45 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-05-12 15:44 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-05-12 15:43 540,672 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-05-12 15:43 10,153,984 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-05-12 15:41 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-05-12 15:32 3,203,168 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-05-12 15:22 1,999,616 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-05-12 15:09 47,104 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-05-12 15:05 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-05-12 15:05 327,680 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-05-12 15:03 19,968 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-05-12 15:03 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-05-12 15:02 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-05-12 15:02 241,664 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-05-12 14:57 548,864 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D918E9A8-738C-40D7-99B2-8C293DCD4B99}]
C:\WINDOWS\system32\ssqQiihe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"CLRHost"="C:\blp\API\OFFICE~1\bbxlcmd.exe" [2008-05-16 14:39 102400]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-11 02:37 1177368]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Microsoft WinUpdate"="C:\WINDOWS\system32\mslatest_updt.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-06-14 16:23:21 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\blp\\Wintrv\\wintrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 02:04]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-11 02:37]
R1 BS_I2cIo;BS_I2cIo;C:\WINDOWS\system32\drivers\BS_I2cIo.sys [2006-12-11 21:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-11 02:37]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 02:37]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-11 02:38]
S3 BS_Flash;BS_Flash;C:\Program Files\Tseries BIOS Update\Award\BS_Flash.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 22:43:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 16:15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\blp\API\OFFICE~1\Bloomberg.UIServer.exe
C:\blp\API\OFFICE~1\Bloomberg.RtdServer.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-17 16:18:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 23:17:58

Pre-Run: 25,956,872,192 bytes free
Post-Run: 30,015,602,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

293 --- E O F --- 2008-06-17 14:43:34

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:12 PM

Posted 17 June 2008 - 06:30 PM

Hi,

This is much better... !!

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Post a new HijackThislog in your next reply to fix the orphaned leftovers.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 xunkn0vvnx

xunkn0vvnx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 18 June 2008 - 09:13 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:46 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\blp\API\OFFICE~1\Bloomberg.UIServer.exe
C:\blp\API\OFFICE~1\Bloomberg.RtdServer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\xun.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {D918E9A8-738C-40D7-99B2-8C293DCD4B99} - C:\WINDOWS\system32\ssqQiihe.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\mslatest_updt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CLRHost] C:\blp\API\OFFICE~1\bbxlcmd.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 8249 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:12 PM

Posted 19 June 2008 - 12:21 AM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {D918E9A8-738C-40D7-99B2-8C293DCD4B99} - C:\WINDOWS\system32\ssqQiihe.dll (file missing)
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\mslatest_updt.exe
O4 - HKCU\..\Run: [CLRHost] C:\blp\API\OFFICE~1\bbxlcmd.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\blp\API\OFFICE~1\bbxlcmd.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Extra instruction..

Since I see that there are a lot of files/folders being modified in the last few days/week... I want you to perform the following online scan as well:

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:12 PM

Posted 28 June 2008 - 10:23 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users