Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Instances Of Internet Explorer Keep Popping Up.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Djelibaybi

Djelibaybi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 15 April 2007 - 09:53 PM

Hi guys,

A couple of days ago my computer started randomly opening instances of internet explorer and transferring to websites, usually saying I had a virus and should download this program in order to rectify the problem, fortunately, I'm not that stupid. That being said, I did get the virus from somewhere so I can't be ALL there.

At this stage I'm just trying to identify exactly what the malicious activity is.

I ran 'Comboscan' which also downloaded and ran HiJackThis and then provided me with a list which may as well have been in Japanese.

Following is my HiJackThis log, if anyone has any ideas please reply.

Regards,

Djelibaybi


ComboScan v20070306.20 run by Lexi and Pat on 2007-04-15 at 19:31:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.


-- Last 5 Restore Point(s) --
41: 2007-04-16 02:31:06 UTC - RP41 - ComboScan Restore Point
40: 2007-04-16 02:23:56 UTC - RP40 - Installed J2SE Runtime Environment 5.0 Update 11
39: 2007-04-16 01:20:43 UTC - RP39 - Software Distribution Service 2.0
38: 2007-04-15 01:00:18 UTC - RP38 - Software Distribution Service 2.0
37: 2007-04-14 01:32:03 UTC - RP37 - Software Distribution Service 2.0


-- First Restore Point --
1: 2007-03-06 07:04:01 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Lexi and Pat.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:31:33 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\APPS\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\windows\mHotkey.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\windows\temp\svcipa.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Lexi and Pat\Local Settings\Temporary Internet Files\Content.IE5\GHIPQ9IR\comboscan[1].exe
C:\PROGRA~1\HIJACK~1\Lexi and Pat.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmpD8.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91b79bfe-c50b-4914-a509-01921b0ca030} - C:\WINDOWS\system32\icaailt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [CHotkey] C:\APPS\Chicony\chicony.bat
O4 - HKLM\..\Run: [RemoteControl] C:\APPS\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\tutqon.dll",realset
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: icaailt - C:\WINDOWS\SYSTEM32\icaailt.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

0R agpCPQ (Compaq AGP Bus Filter) - C:\WINDOWS\system32\drivers\AGPCPQ.SYS
0R alim1541 (ALI AGP Bus Filter) - C:\WINDOWS\system32\drivers\ALIM1541.SYS
0R amdagp (AMD AGP Bus Filter Driver) - C:\WINDOWS\system32\drivers\AMDAGP.SYS
3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
0R cbidf - C:\WINDOWS\system32\drivers\cbidf2k.sys
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\CCDECODE.sys
0R dac2w2k - C:\WINDOWS\system32\drivers\dac2w2k.sys
3R E100B (Intel® PRO Network Connection Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
1R eeCtrl (Symantec Eraser Control driver) - C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
3R EraserUtilRebootDrv - C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
3R HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - C:\WINDOWS\system32\drivers\Hdaudbus.sys
3R HidIr (Microsoft Infrared HID Driver) - C:\WINDOWS\system32\drivers\hidir.sys
3S HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
3R IrBus (Infrared bus filter driver for eHome remote controls) - C:\WINDOWS\system32\drivers\irbus.sys
1R kbdhid (Keyboard HID Driver) - C:\WINDOWS\system32\drivers\kbdhid.sys
3R LHidFlt2 (Logitech HID/USB Mouse Filter Driver) - C:\WINDOWS\system32\drivers\LHidFlt2.Sys
3R LHidUsb (Logitech USB Receiver device driver) - C:\WINDOWS\system32\drivers\LHidUsb.sys
3R LMouFlt2 (Logitech Mouse Class Filter Driver) - C:\WINDOWS\system32\drivers\LMouFlt2.Sys
3S MHNDRV (MHN driver) - C:\WINDOWS\system32\drivers\mhndrv.sys
3R mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\MSTEE.sys
3R Mtlmnt5 - C:\WINDOWS\system32\drivers\mtlmnt5.sys
3R Mtlstrm - C:\WINDOWS\system32\drivers\mtlstrm.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\NABTSFEC.sys
3R NAVENG - C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070415.003\NAVENG.SYS
3R NAVEX15 - C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070415.003\NAVEX15.SYS
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\NdisIP.sys
3R NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
3S NtMtlFax - C:\WINDOWS\system32\drivers\ntmtlfax.sys
0R ohci1394 (Texas Instruments OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3R RecAgent - C:\WINDOWS\system32\drivers\recagent.sys
3R sfng32 (Sonic Focus Plugin for Sigmatel HDA) - C:\WINDOWS\system32\drivers\sfng32.sys
0R sisagp (SIS AGP Bus Filter) - C:\WINDOWS\system32\drivers\SISAGP.SYS
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\SLIP.sys
3R Slntamr (SmartLink AMR_PCI Driver) - C:\WINDOWS\system32\drivers\slntamr.sys
3R SlNtHal - C:\WINDOWS\system32\drivers\slnthal.sys
3R SlWdmSup - C:\WINDOWS\system32\drivers\slwdmsup.sys
1R SPBBCDrv - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
3R SRTSP - C:\WINDOWS\system32\drivers\srtsp.sys
3S SRTSPL - C:\WINDOWS\system32\drivers\srtspl.sys
1R SRTSPX - C:\WINDOWS\system32\drivers\srtspx.sys
3R STHDA (SigmaTel High Definition Audio CODEC) - C:\WINDOWS\system32\drivers\sthda.sys
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\StreamIP.sys
3R SYMDNS - C:\WINDOWS\system32\drivers\symdns.sys
3R SymEvent - C:\WINDOWS\system32\drivers\SYMEVENT.SYS
3R SYMFW - C:\WINDOWS\system32\drivers\symfw.sys
3R SYMIDS - C:\WINDOWS\system32\drivers\symids.sys
3R SYMIDSCO - C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\20070409.003\SymIDSCo.sys
3R SYMNDIS - C:\WINDOWS\system32\drivers\symndis.sys
3R SYMREDRV - C:\WINDOWS\system32\drivers\symredrv.sys
1R SYMTDI - C:\WINDOWS\system32\drivers\symtdi.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbohci.sys
3R USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
0R viaagp (VIA AGP Bus Filter) - C:\WINDOWS\system32\drivers\VIAAGP.SYS
3R WFPVRBAR (WinFast PVR2000 WDM Crossbar) - C:\WINDOWS\system32\drivers\WFPVRBAR.sys
2R WFPVRENC (WinFast PVR2000 MPEG Encoder(PAL)) - C:\WINDOWS\system32\drivers\wfpvrenc.sys
2R WFPVRTUNER (WinFast PVR2000 WDM Tuner) - C:\WINDOWS\system32\drivers\wfpvrtun.sys
2R WFPVRVIDEO (WinFast PVR2000 WDM Video Capture) - C:\WINDOWS\system32\drivers\wfpvrcap.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\WSTCODEC.SYS
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
2R Automatic LiveUpdate Scheduler - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
2R ccEvtMgr (Symantec Event Manager) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
2R ccSetMgr (Symantec Settings Manager) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
2R CLTNetCnService (Symantec Lic NetConnect service) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
3S comHost (COM Host) - "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe"
2R ehRecvr (Media Center Receiver Service) - C:\WINDOWS\eHome\ehRecvr.exe
2R ehSched (Media Center Scheduler Service) - C:\WINDOWS\eHome\ehSched.exe
3S ISPwdSvc (Symantec IS Password Validation) - "C:\Program Files\Norton Internet Security\isPwdSvc.exe"
3S LiveUpdate - "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
2R McrdSvc (Media Center Extender Service) - C:\WINDOWS\ehome\mcrdsvc.exe
3S MHN - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SLService (SmartLinkService) - slserv.exe
3R Symantec Core LC - "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
2R SymAppCore (Symantec AppCore Service) - "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
3S UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
3R usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe"
3S Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
2S LiveUpdate Notice Service - "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"
2S LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon


-- Scheduled Tasks -------------------------------------------------------------

2007-03-26 20:57:11 578 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Lexi and Pat.job<NORTON~1.JOB>
2007-03-06 00:02:23 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job<REGIST~3.JOB>


-- Files created between 2007-03-15 and 2007-04-15 -----------------------------

2007-04-14 19:55:03 22112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-04-14 18:01:40 79360 --a------ C:\WINDOWS\system32\CNBJMON2.DLL
2007-04-14 18:01:35 25856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-12 17:51:51 106767 --a------ C:\WINDOWS\tutqon.dll
2007-04-12 17:33:27 19216 --a------ C:\WINDOWS\system32\icaailt.dll
2007-04-10 18:35:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision<MACROV~1>
2007-04-10 18:35:28 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared<ADOBES~1>
2007-04-10 18:13:55 16384 --a------ C:\WINDOWS\system32\FileOps.exe
2007-04-10 18:13:55 0 d-------- C:\WINDOWS\system32\Adobe
2007-04-09 22:17:20 36926 --a------ C:\WINDOWS\system32\lsasss.exe
2007-04-09 22:17:16 0 d-------- C:\WINDOWS\system32\bak
2007-04-09 18:00:22 0 d-------- C:\WINDOWS\LastGood
2007-04-01 18:18:27 0 d-------- C:\WINDOWS\Sun
2007-03-26 20:50:58 0 d-------- C:\Program Files\Norton Internet Security<NORTON~1>
2007-03-26 20:50:02 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-03-26 20:50:02 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-03-26 20:49:45 0 d-------- C:\Program Files\Symantec
2007-03-26 20:49:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-03-26 20:44:08 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>


-- Find3M Report ---------------------------------------------------------------

2007-04-15 19:24:47 0 d-------- C:\Program Files\Java
2007-04-12 02:32:52 0 d---s---- C:\Documents and Settings\Lexi and Pat\Application Data\Microsoft<MICROS~1>
2007-04-10 18:39:22 0 d-------- C:\Documents and Settings\Lexi and Pat\Application Data\Adobe
2007-04-10 18:13:55 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-10 18:11:59 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-09 22:17:19 0 d-------- C:\Program Files\Intel Audio Studio<INTELA~1>
2007-04-09 22:17:16 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-04-03 18:01:38 0 d-------- C:\Program Files\World of Warcraft<WORLDO~1>
2007-03-12 08:27:30 0 d-------- C:\Program Files\LimeWire
2007-03-08 18:57:07 0 d-------- C:\Documents and Settings\Lexi and Pat\Application Data\Real
2007-03-06 06:48:04 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment<BLIZZA~1>
2007-03-06 05:49:34 0 d-------- C:\Documents and Settings\Lexi and Pat\Application Data\Help
2007-03-06 00:08:27 0 d-------- C:\Documents and Settings\Lexi and Pat\Application Data\Macromedia<MACROM~1>
2007-01-18 18:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"ATIPTA"="\"C:\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SigmatelSysTrayApp"="sttray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"IntelAudioStudio"="\"C:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe\" TRAY"
"CHotkey"="C:\\APPS\\Chicony\\chicony.bat"
"RemoteControl"="C:\\APPS\\CyberLink\\PowerDVD\\PDVDServ.exe"
"Logitech Utility"="Logi_MwX.Exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"
"BootService"="rundll32.exe \"C:\\WINDOWS\\tutqon.dll\",realset"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\icaailt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ADOBE_LM_SERVICE
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILREBOOTDRV
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_LIVEUPDATE_NOTICE_EX
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_LIVEUPDATE_NOTICE_SERVICE
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_UDFS


-- End of ComboScan: finished at 2007-04-15 at 19:32:01 ------------------------

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 16 April 2007 - 01:52 AM

Hello,

Did you ever scan with your Antivirus? or is your Antivirus up to date?
Because I see some malware present here which your scanner should remove.

Please make sure you follow the next instructions in exactly the way I describe without missing any step and in the right order!!

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\icaailt.dll
  • Click the Add Files button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Do not run the scan yet.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmpD8.tmp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91b79bfe-c50b-4914-a509-01921b0ca030} - C:\WINDOWS\system32\icaailt.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\tutqon.dll",realset
O20 - AppInit_DLLs:
O20 - Winlogon Notify: icaailt - C:\WINDOWS\SYSTEM32\icaailt.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Start AVG Antispyware.
  • Click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware.
Reboot your computer.

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

* Please download the following file to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Run the file. This will open a log.

Post the next logs in your following reply:

* Log from AVG Antispyware
* Log from Combofix (combofix.txt)
* Log from FindAWF
* New HijackThislog

You may need more than one reply to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 25 April 2007 - 05:06 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users