Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - Popup Problem


  • This topic is locked This topic is locked
17 replies to this topic

#1 cwguth

cwguth

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 March 2007 - 09:10 AM

Hello,

This is my first post, although I've been reading the forum for a while. I am getting repeated popup messages on my XP Professional machine, and have been unable to solve the problem myself. I have tried Ad-Aware, AVG Anti-Spyware, CCleaner, Spybot, and HSremove thus far. I also tried a System Restore, but Windows gave me an error and said it couldn't restore about halfway through. After that, I tried to turn off System Restore and run all the utilities again, but still nothing. My hosts file does not have any malicious entries (just one entry for localhost), and I do not see anything in add/remove programs that shouldn't belong. I do not have any file sharing programs installed either.

I have been able to reduce some of the popups (spyware doctor was the first one I noticed and was able to stop), but I'm still getting other. Just while typing this post I got the following:

http://adfarm.mediaplex.com/
http://www.errorprotector.com
http://www.spyware-secure.com

Thanks for any help,
Chris


Logfile of HijackThis v1.99.1
Scan saved at 8:52:08 AM, on 3/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173720695184
O16 - DPF: {F1EA17CB-F7BD-4108-A742-1BC7774383FF} (Seisint GraphView Control 1.0) - https://secure.accurint.com/bps/195/cab/GraphViewCtl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = BTFD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 March 2007 - 09:44 AM

Welcome to Bleeping Computer cwguth :thumbsup:

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

**************************

Please download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

*************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Restart your pc when you've finished.
Post the AVG Anti Spyware report,the C:\vundofix.txt,the SmitfraudFix report,and a new Hijackthis log into your next reply please.

Edited by RichieUK, 13 March 2007 - 09:45 AM.

Posted Image
Posted Image

#3 cwguth

cwguth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 March 2007 - 10:48 AM

Hi RichieUK, thanks for responding so quickly. I'm crossing my fingers, because so far while typing this reply, I haven't received any pop-ups. Here are the results of the new scans:

AVG Report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:21:35 AM 3/13/2007

+ Scan result:



Nothing found.


::Report end



VundoFix Report:


VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 10:28:48 AM 3/13/2007

Listing files found while scanning....

No infected files were found.



SmitfraudFix report:

SmitFraudFix v2.148

Scan done at 10:35:56.33, Tue 03/13/2007
Run from C:\Documents and Settings\cguthrie\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\cguthrie


C:\Documents and Settings\cguthrie\Application Data


Start Menu


C:\DOCUME~1\cguthrie\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End





New HijackThis report

Logfile of HijackThis v1.99.1
Scan saved at 10:41:45 AM, on 3/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173720695184
O16 - DPF: {F1EA17CB-F7BD-4108-A742-1BC7774383FF} (Seisint GraphView Control 1.0) - https://secure.accurint.com/bps/195/cab/GraphViewCtl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = BTFD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe



-Chris

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 March 2007 - 11:21 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

Read through the information found here,to help you prevent any possible future infections.
Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Posted Image
Posted Image

#5 cwguth

cwguth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 March 2007 - 11:26 AM

Unfortunately I did get two more pop-ups since my last post: http://ads.gad-network.com. However, since the log is clean, I'm not sure if there's anything else that can be done, short of a reformat.

I do appreciate all of your help, and if you have any other ideas, please let me know.

Thanks again,
Chris

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 March 2007 - 11:56 AM

Download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

***************************

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

Post the DrWeb.cvs report and the sarscan.log please.
Posted Image
Posted Image

#7 cwguth

cwguth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 March 2007 - 01:06 PM

Alright, here the next two are:


DrWeb-CureIt:

Process.exe;C:\Documents and Settings\cguthrie\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\cguthrie\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\Documents and Settings\cguthrie\Desktop\Utilities\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\cguthrie\Desktop\Utilities\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;



Sophos Anti-Rootkit:

Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 3/13/2007 at 12:59:49 PM
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\Desktop.ini:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\test.doc:$EFS
Hidden: file C:\WINDOWS\system32\fblgtudaqv.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv.exe
Hidden: file C:\WINDOWS\system32\fblgtudaqv_nav.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv_navps.dat
Hidden: file C:\WINDOWS\Prefetch\FBLGTUDAQV.EXE-0E4B030C.pf
Stopped logging on 3/13/2007 at 13:02:11 PM

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 March 2007 - 01:39 PM

Please follow these instructions very carefully and take your time,there's no rush :thumbsup:

Download Brute Force Uninstaller to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk C" or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy and paste the following bold text in the Quote box below into Notepad.
Click on File(in the menu at the top)>'Save as..'
Save as Type: 'All Files'
File name: aftermath.bfu
Save it to the same folder you made earlier (c:\BFU)

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fblgtudaqv
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fblgtudaqv
FileDelete %SYSDIR%\ fblgtudaqv _navps.dat
FileDelete %SYSDIR%\ fblgtudaqv _nav.dat
FileDelete %SYSDIR%\ fblgtudaqv.dat
FileDelete %SYSDIR%\ fblgtudaqv.exe
FileDelete %SYSDIR%\ fblgtudaqv _m2s.xml
FileDelete %WINDIR%\ fblgtudaqv.exe-*.pf


Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon Posted Image and select EGDACCESS.bfu
Press Execute and let it do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Behind the scriptline to execute field click the folder icon Posted Image again and this time select aftermath.bfu
Press Execute and let it do its job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot and post a new HijackThis log into your next reply.

Edited by RichieUK, 13 March 2007 - 01:40 PM.

Posted Image
Posted Image

#9 cwguth

cwguth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 March 2007 - 02:02 PM

RichieUK:

OK, I was able to run EGDACCESS.bfu with no problems, but when I try to run aftermath.bfu, I get the following error message:

Runtime error '5':
Invalid procedure call or argument


I verified that I copied and saved the text as it is written . . . any idea where I went wrong?
-Chris

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 March 2007 - 02:57 PM

Please run Sophos Anti-Rootkit[/url] again.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

***********************************

Download ComboScan to your desktop:
http://www.techsupportforum.com/sectools/D...d/comboscan.exe
Make sure all running programs and Windows Explorer windows are closed.
Double-click on comboscan.exe to run it,then follow the prompts.
The scan may take a few minutes to complete.
When the scan has finished,a text file will open 'ComboScan.txt'.

Please Note:
When running Comboscan,some firewalls may warn that sigcheck.exe is trying to access the internet,please ensure that you allow sigcheck.exe permission to do so.
Also,it may happen that your Antivirus flags Comboscan as suspicious.
Please allow the Comboscan to run and don't let your Antivirus delete it.
(If necessary temporarily disable/turn off your Antivirus program).
Post the Comboscan.txt from the Comboscan into your next reply,along with a new Hijackthis log please.

You may need more than one reply to post the logs.
Posted Image
Posted Image

#11 cwguth

cwguth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 14 March 2007 - 07:31 AM

Sophos Log:

Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 3/14/2007 at 8:18:56 AM
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\Desktop.ini:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\test.doc:$EFS
Hidden: file C:\WINDOWS\system32\fblgtudaqv.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv.exe
Hidden: file C:\WINDOWS\system32\fblgtudaqv_nav.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv_navps.dat
Hidden: file C:\WINDOWS\Prefetch\FBLGTUDAQV.EXE-0E4B030C.pf
Stopped logging on 3/14/2007 at 8:21:18 AM




ComboScan Logs:

ComboScan v20070306.20 run by cguthrie on 2007-03-14 at 08:24:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-14 14:24:58 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as cguthrie.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:25:05 AM, on 3/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Documents and Settings\cguthrie\Desktop\comboscan.exe
C:\HIJACK~1\cguthrie.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173720695184
O16 - DPF: {F1EA17CB-F7BD-4108-A742-1BC7774383FF} (Seisint GraphView Control 1.0) - https://secure.accurint.com/bps/195/cab/GraphViewCtl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = BTFD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3R aeaudio - C:\WINDOWS\system32\drivers\aeaudio.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
3R b57w2k (Broadcom NetXtreme Gigabit Ethernet) - C:\WINDOWS\system32\drivers\b57xp32.sys
0S cercsr6 - C:\WINDOWS\system32\drivers\cercsr6.sys
3R hidusb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
1S intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
1R kbdhid (Keyboard HID Driver) - C:\WINDOWS\system32\drivers\kbdhid.sys
3S LHidFilt (Logitech SetPoint KMDF HID Filter Driver) - C:\WINDOWS\system32\drivers\LHidFilt.Sys
3S LMouFilt (Logitech SetPoint KMDF Mouse Filter Driver) - C:\WINDOWS\system32\drivers\LMouFilt.Sys
3R mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
1R SAVOnAccess Control - C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
1R SAVOnAccess Filter - C:\WINDOWS\system32\drivers\savonaccessfilter.sys
3R smwdm - C:\WINDOWS\system32\drivers\smwdm.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3R usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3S Wdf01000 - C:\WINDOWS\system32\drivers\wdf01000.sys
3R MEMSWEEP2 - C:\WINDOWS\System32\3.tmp (not found)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"
2R LexBceS (LexBce Server) - C:\WINDOWS\system32\LEXBCES.EXE
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
2R SAVAdminService (Sophos Anti-Virus status reporter) - "C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe"
2R SAVService (Sophos Anti-Virus) - "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe"
3S SCardDrv (Smart Card Helper) - C:\WINDOWS\System32\SCardSvr.exe
2R Sophos Agent - "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent
2R Sophos AutoUpdate Service - "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe"
2R Sophos Message Router - "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
2R spkrmon - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
2R uploadmgr (Upload Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R WmdmPmSp (Portable Media Serial Number) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Files created between 2007-02-14 and 2007-03-14 -----------------------------

2007-03-14 08:19:10 0 d-------- C:\Documents and Settings\cguthrie\Application Data\Help
2007-03-13 12:45:44 0 d-------- C:\WINDOWS\System32\bfubackups<BFUBAC~1>
2007-03-13 12:40:10 0 d-------- C:\bfu
2007-03-13 11:59:06 0 d-------- C:\SOPHTEMP
2007-03-13 11:03:25 0 d-------- C:\Documents and Settings\cguthrie\DoctorWeb<DOCTOR~1>
2007-03-13 09:28:48 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-13 08:10:13 0 d-------- C:\WINDOWS\pss
2007-03-13 06:11:03 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-03-12 21:53:05 127208 --a------ C:\WINDOWS\System32\mucltui.dll
2007-03-12 12:13:25 0 d-------- C:\Hijackthis<HIJACK~1>
2007-03-12 11:56:31 1630 --a------ C:\WINDOWS\System32\tmp.reg
2007-03-12 11:54:38 0 d-------- C:\Program Files\CCleaner
2007-03-09 07:22:24 0 d-------- C:\Program Files\Windows Live Safety Center<WINDOW~4>
2007-03-08 07:12:47 274432 --a------ C:\WINDOWS\System32\3dr664.dll
2007-03-08 07:12:47 274432 --a------ C:\WINDOWS\System32\3dr655.dll
2007-03-08 07:12:47 274944 --a------ C:\WINDOWS\System32\3dr565.dll
2007-03-08 07:12:47 274432 --a------ C:\WINDOWS\System32\3dr555.dll
2007-03-08 07:12:47 479744 --a------ C:\WINDOWS\System32\3dr332.dll
2007-03-08 07:12:47 38400 --a------ C:\WINDOWS\System32\3dr32.dll
2007-03-08 07:12:47 71680 --a------ C:\WINDOWS\System32\3dr.dll
2007-03-08 07:12:47 374784 --a------ C:\WINDOWS\3dg32.dll
2007-03-08 07:12:46 22016 --a------ C:\WINDOWS\System32\3drsys.dll
2007-03-08 07:12:46 274432 --a------ C:\WINDOWS\System32\3drrgba.dll
2007-03-08 07:12:46 278528 --a------ C:\WINDOWS\System32\3drrgb.dll
2007-03-08 07:12:46 876066 --a------ C:\WINDOWS\System32\3dreng.dll
2007-03-08 07:12:46 274432 --a------ C:\WINDOWS\System32\3drbgra.dll
2007-03-08 07:12:46 278528 --a------ C:\WINDOWS\System32\3drbgr.dll
2007-03-08 07:12:46 274944 --a------ C:\WINDOWS\System32\3drargb.dll
2007-03-08 07:12:46 274432 --a------ C:\WINDOWS\System32\3drabgr.dll
2007-03-08 07:11:29 0 d-------- C:\Program Files\Punch! Pro<PUNCH!~1>
2007-03-07 14:28:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-03-07 12:11:17 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys
2007-03-07 12:11:14 0 d-------- C:\Program Files\Grisoft
2007-03-07 12:09:46 0 d---s---- C:\Documents and Settings\cguthrie\UserData
2007-03-07 11:01:24 0 d-------- C:\Documents and Settings\cguthrie\Application Data\Lavasoft
2007-03-07 11:01:13 0 d-------- C:\Program Files\Lavasoft
2007-03-07 11:00:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-17 14:44:55 50176 --a------ C:\WINDOWS\System32\dpwsockx.dll
2007-02-17 14:44:55 214528 --a------ C:\WINDOWS\System32\dplayx.dll
2007-02-17 14:42:35 32256 --a------ C:\WINDOWS\System32\msgsvc.dll
2007-02-17 14:41:30 30749 --a------ C:\WINDOWS\System32\vbajet32.dll
2007-02-17 14:41:30 348189 --a------ C:\WINDOWS\System32\msxbde40.dll
2007-02-17 14:41:30 258077 --a------ C:\WINDOWS\System32\mstext40.dll
2007-02-17 14:41:30 552989 --a------ C:\WINDOWS\System32\msrepl40.dll
2007-02-17 14:41:30 348189 --a------ C:\WINDOWS\System32\mspbde40.dll
2007-02-17 14:41:30 241693 --a------ C:\WINDOWS\System32\msjtes40.dll
2007-02-17 14:41:30 53279 --a------ C:\WINDOWS\System32\msjter40.dll
2007-02-17 14:41:30 151583 --a------ C:\WINDOWS\System32\msjint40.dll
2007-02-17 14:41:30 358976 --a------ C:\WINDOWS\System32\msjetoledb40.dll<MSJETO~1.DLL>
2007-02-17 14:41:30 1507356 --a------ C:\WINDOWS\System32\msjet40.dll
2007-02-17 14:41:30 319517 --a------ C:\WINDOWS\System32\msexcl40.dll
2007-02-17 14:41:30 512029 --a------ C:\WINDOWS\System32\msexch40.dll
2007-02-17 14:41:30 380957 --a------ C:\WINDOWS\System32\expsrv.dll
2007-02-17 14:41:29 614431 --a------ C:\WINDOWS\System32\mswstr10.dll
2007-02-17 14:41:29 831519 --a------ C:\WINDOWS\System32\mswdat10.dll
2007-02-17 14:41:29 421919 --a------ C:\WINDOWS\System32\msrd2x40.dll
2007-02-17 14:41:28 315423 --a------ C:\WINDOWS\System32\msrd3x40.dll
2007-02-17 14:41:27 213023 --a------ C:\WINDOWS\System32\msltus40.dll
2007-02-17 14:34:28 0 d-------- C:\WINDOWS\RegisteredPackages<REGIST~2>
2007-02-17 14:29:04 172544 --a------ C:\WINDOWS\System32\schedsvc.dll
2007-02-17 14:29:04 10752 --a------ C:\WINDOWS\System32\mstinit.exe
2007-02-17 14:29:04 260096 --a------ C:\WINDOWS\System32\mstask.dll
2007-02-15 08:23:40 12160 --a------ C:\WINDOWS\System32\drivers\mouhid.sys
2007-02-15 08:23:40 22016 --a------ C:\WINDOWS\System32\drivers\mouclass.sys
2007-02-15 08:23:39 0 d-------- C:\WINDOWS\System32\ReinstallBackups<REINST~1>
2007-02-15 08:23:22 33296 --a------ C:\WINDOWS\System32\drivers\LMouFilt.Sys
2007-02-15 08:23:22 101136 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-02-15 08:23:21 1419024 --a------ C:\WINDOWS\System32\WdfCoInstaller01005.dll<WDFCOI~1.DLL>
2007-02-15 08:23:21 34576 --a------ C:\WINDOWS\System32\drivers\LHidFilt.Sys
2007-02-15 08:22:17 0 d-------- C:\Program Files\Common Files\Logitech
2007-02-15 08:22:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-02-15 07:59:32 20480 --a------ C:\WINDOWS\System32\hidserv.dll
2007-02-15 07:59:22 28160 --a------ C:\WINDOWS\System32\drivers\usbccgp.sys


-- Find3M Report ---------------------------------------------------------------

2007-03-14 08:22:22 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-13 08:38:45 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-03-13 08:36:00 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-07 11:53:27 0 d-------- C:\Program Files\Google
2007-02-15 08:22:10 0 d---s---- C:\Documents and Settings\cguthrie\Application Data\Microsoft<MICROS~1>
2007-01-03 18:41:59 1168 --a------ C:\WINDOWS\mozver.dat
2007-01-03 18:17:52 0 --a------ C:\WINDOWS\nsreg.dat
2006-12-17 13:45:00 15872 -----n--- C:\WINDOWS\System32\sophosboottasks.exe<SOPHOS~1.EXE>
2006-12-17 13:42:33 82432 --a------ C:\WINDOWS\System32\msxml4r.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"fblgtudaqv"="c:\\windows\\system32\\fblgtudaqv.exe fblgtudaqv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"=dword:00000001
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MEMSWEEP2


-- End of ComboScan: finished at 2007-03-14 at 08:25:22 ------------------------


ComboScan v20070306.20 run by cguthrie on 2007-03-14 at 08:24:53
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 502.07 MiB / 228.29 MiB
Pagefile Memory (total/avail): 1228.98 MiB / 1004.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2006.28 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.19 GiB total, 31.83 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cguthrie\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DETECTIVE1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\cguthrie
LOGONSERVER=\\BTS2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\cguthrie\LOCALS~1\Temp
TMP=C:\DOCUME~1\cguthrie\LOCALS~1\Temp
USERDNSDOMAIN=BTFD.LOCAL
USERDOMAIN=BTFD
USERNAME=cguthrie
USERPROFILE=C:\Documents and Settings\cguthrie
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
smorgan (admin)
aehrhart (admin)
sstein
tburkett (admin)
smorgan.BTFD (admin)
cguthrie (admin)
fic (new local, net ready)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom Gigabit Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Dell Photo Printer 720 --> C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell Photo Printer 720 Logger --> C:\Program Files\Dell Photo Printer 720\dlbcunst.exe
DVR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8FE552F4-52D5-4ED8-B77B-672D5F88B427}\Setup.exe"
HijackThis 1.99.1 --> C:\Documents and Settings\cguthrie\Desktop\hijackthis\HijackThis.exe /uninstall
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
March Networks DVR Player --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MarchNetworks\DVR Player\Bin\Uninst.isu" -c"C:\Program Files\MarchNetworks\DVR Player\Bin\Uninstall.dll"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Outlook 2003 --> MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.2) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Punch! Professional Home Design --> C:\PROGRA~1\PUNCH!~1\UNWISE.EXE C:\PROGRA~1\PUNCH!~1\INSTALL.LOG
Sophos Anti-Virus --> MsiExec.exe /X{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}
Sophos AutoUpdate --> MsiExec.exe /X{15C418EB-7675-42BE-B2B3-281952DA014D}
Sophos Remote Management System --> MsiExec.exe /X{FF11005D-CBC8-45D5-A288-25C7BB304121}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"


-- End of ComboScan: finished at 2007-03-14 at 08:25:22 ------------------------

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 14 March 2007 - 07:44 AM

Open the folder C:\SOPHTEMP again and double-click sargui.exe to start the program.
1. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
2. Click the "Start Scan" button.
When the scan has finished,place a checkmark next to these entries:

Hidden: file C:\WINDOWS\system32\fblgtudaqv.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv.exe
Hidden: file C:\WINDOWS\system32\fblgtudaqv_nav.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv_navps.dat
Hidden: file C:\WINDOWS\Prefetch\FBLGTUDAQV.EXE-0E4B030C.pf


3. Then click the "Clean up checked items" button.
4. You will get a prompt asking if you are sure to delete these entries. Agree and click "OK".
5. In the new window that will appear, hit the "Restart now" button.
6. After reboot, Go to Start > Run and type or copy and paste: %temp%\sarscan.log
7. This should open the log from the rootkit scan.
Post this log into your next reply,along with a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#13 cwguth

cwguth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 14 March 2007 - 09:02 AM

OK, I deleted the 5 files, and it appears that you solved it! I've been surfing for about 10-15 minutes, and so far, no pop-ups. I'm keeping my fingers crossed!

I really appreciate all your time and effort, I could not have figured it out myself.

The new logs are below.

-Chris


Sophos Log

Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 3/14/2007 at 7:03:48 AM
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\Desktop.ini:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\test.doc:$EFS
Hidden: file C:\WINDOWS\system32\fblgtudaqv.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv.exe
Hidden: file C:\WINDOWS\system32\fblgtudaqv_nav.dat
Hidden: file C:\WINDOWS\system32\fblgtudaqv_navps.dat
Hidden: file C:\WINDOWS\Prefetch\FBLGTUDAQV.EXE-0E4B030C.pf
Stopped logging on 3/14/2007 at 7:06:07 AM





New HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 7:13:34 AM, on 3/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [fblgtudaqv] c:\windows\system32\fblgtudaqv.exe fblgtudaqv
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173720695184
O16 - DPF: {F1EA17CB-F7BD-4108-A742-1BC7774383FF} (Seisint GraphView Control 1.0) - https://secure.accurint.com/bps/195/cab/GraphViewCtl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = BTFD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 14 March 2007 - 09:21 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [fblgtudaqv] c:\windows\system32\fblgtudaqv.exe fblgtudaqv
Exit Hijackthis,restart your pc.

************************************

Please run Sophos Anti-Rootkit[/url] again.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply,along with a new Hijackthis log please.
Posted Image
Posted Image

#15 cwguth

cwguth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 14 March 2007 - 10:11 AM

Here are the newest logs...still no pop-ups at this time.


[B]Sophos[/U]

Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 3/14/2007 at 11:04:09 AM
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\Desktop.ini:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal:$EFS
Hidden: file C:\Documents and Settings\smorgan.BTFD\Desktop\Morgan\Personal\test.doc:$EFS
Stopped logging on 3/14/2007 at 11:06:08 AM




[B]HijackThis[/U]


Logfile of HijackThis v1.99.1
Scan saved at 11:07:19 AM, on 3/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173720695184
O16 - DPF: {F1EA17CB-F7BD-4108-A742-1BC7774383FF} (Seisint GraphView Control 1.0) - https://secure.accurint.com/bps/195/cab/GraphViewCtl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = BTFD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BTFD.LOCAL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users