Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi Jack This Log Need Analysis Please!


  • Please log in to reply
7 replies to this topic

#1 rasmusse

rasmusse

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 16 May 2007 - 01:54 PM

I'm trying to figure out what the problem is with my computer it seems that everytime I roll over a the file below my computer kicks me out of that folder and my screen goes blank, then comes back with everything shut down. I've tried running Ad-aware and it hangs/freezes right on this file as well. Same instance when I tried running my anti-virus software. I have tried numerous times and several ways to delete this file and it will not delete from my computer. I need some serious help. The file that continues to haunt me is C:\documents and settings\rasmusse\My Documents\My Music\Artic Monkeys.

Please help! Before more damage is done then probably already has been.

Thanks,
rasmusse

Attached Files



BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 17 May 2007 - 06:11 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum rasmusse :thumbsup:

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

***********************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Post all your replies directly into this topic,not as attachments,thanks.

Posted Image
Posted Image

#3 rasmusse

rasmusse
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 17 May 2007 - 11:09 AM

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdfyq.exe"

»»»»»

"rasmusse" - 2007-05-17 8:46:18 Service Pack 2
ComboFix 07-05.17.6.V - Running from: "C:\Documents and Settings\rasmusse\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-17 ))))))))))))))))))))))))))))))))))


2007-05-17 08:42 6,217 --a------ C:\dnsbak.reg
2007-05-16 10:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-14 16:15 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-14 16:15 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-14 16:15 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-05-14 16:15 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-05-14 16:15 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-05-14 16:15 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-05-14 16:15 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-05-14 16:15 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-14 16:15 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-14 16:15 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-14 16:15 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-14 16:15 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-14 16:15 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-14 16:15 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-05-14 10:18 110,592 --a------ C:\WINDOWS\system32\ICFCONFIG.EXE
2007-05-14 10:08 <DIR> d-------- C:\WINDOWS\system32\ldevents
2007-05-14 10:07 86,067 --a------ C:\WINDOWS\system32\nts.dll
2007-05-14 10:07 77,878 --a------ C:\WINDOWS\system32\pds.dll
2007-05-14 10:07 77,824 --a------ C:\WINDOWS\system32\loc32vc0.dll
2007-05-14 10:07 41,017 --a------ C:\WINDOWS\system32\msgsys.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\ptbPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\korPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\jpnPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\itaPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\fraPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\espPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\enuPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\deuPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\chtPWOFF.dll
2007-05-14 10:07 4,096 --a------ C:\WINDOWS\system32\chsPWOFF.dll
2007-05-14 10:07 36,935 --a------ C:\WINDOWS\system32\amslib.dll
2007-05-14 10:07 33,792 --a------ C:\WINDOWS\system32\LDCmd32.EXE
2007-05-14 10:07 3,712 --a------ C:\WINDOWS\system32\drivers\mirrorflt.sys
2007-05-14 10:07 3,328 --a------ C:\WINDOWS\system32\drivers\ldmirror.sys
2007-05-14 10:07 28,729 --a------ C:\WINDOWS\system32\msgsys.exe
2007-05-14 10:07 28,723 --a------ C:\WINDOWS\system32\cba.dll
2007-05-14 10:07 18,944 --a------ C:\WINDOWS\system32\poweroff.exe
2007-05-14 10:07 18,944 --a------ C:\WINDOWS\system32\ELOGAPI.DLL
2007-05-14 10:07 15,104 --a------ C:\WINDOWS\system32\ldmirror.dll
2007-05-14 10:07 11,904 --a------ C:\WINDOWS\system32\drivers\ldblank.sys
2007-05-14 10:07 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-05-14 10:07 <DIR> d-------- C:\WINDOWS\system32\cba
2007-05-14 10:07 <DIR> d-------- C:\Program Files\LANDesk
2007-05-14 10:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vulScan
2007-05-14 08:14 7,680 --a------ C:\WINDOWS\system32\drivers\RKL17.tmp.sys
2007-05-11 10:09 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-05-10 15:36 <DIR> d-------- C:\VSNETSamples
2007-05-08 17:55 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-05-08 10:55 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-04 16:03 <DIR> d-------- C:\Program Files\MSBuild
2007-05-04 16:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-04 15:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-04 15:58 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-05-04 15:53 <DIR> d-------- C:\bcd7af713be53c9b9505f9c686
2007-05-04 10:24 <DIR> d-------- C:\WINDOWS\system32\DRM
2007-05-03 14:53 159,744 --a------ C:\WINDOWS\system32\igfxsrvc.exe
2007-05-03 14:53 <DIR> d-------- C:\Dell
2007-05-03 14:25 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\iolo
2007-05-03 08:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-03 08:31 <DIR> d-------- C:\WINDOWS\ms
2007-05-03 08:30 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-05-03 08:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\iolo
2007-05-02 08:22 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-05-01 14:33 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-04-30 17:36 <DIR> d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2007-04-30 14:11 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2007-04-30 14:11 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-04-30 14:10 435,816 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-04-30 14:10 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-04-30 14:10 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-04-30 14:10 <DIR> d-------- C:\Program Files\iolo
2007-04-30 14:08 <DIR> d-------- C:\DOCUME~1\rasmusse\APPLIC~1\iolo
2007-04-30 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2007-04-30 11:32 7,680 --a------ C:\WINDOWS\system32\drivers\RKL7E.tmp.sys
2007-04-30 08:30 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 16:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-04-24 10:08 <DIR> d-------- C:\Program Files\AskTBar
2007-04-24 09:54 <DIR> d-------- C:\DOCUME~1\rasmusse\APPLIC~1\Ahead
2007-04-24 09:51 <DIR> d-------- C:\Program Files\Nero
2007-04-24 09:51 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-04-24 08:27 7,680 --a------ C:\WINDOWS\system32\drivers\RKL22.tmp.sys
2007-04-23 13:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-04-20 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-09 15:55:33 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-08 18:11:15 -------- d-----w C:\Program Files\SPSS
2007-05-08 18:07:54 -------- d-----w C:\Program Files\Roxio
2007-05-04 22:55:05 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-03 15:31:21 -------- d-----w C:\Program Files\Network Associates
2007-05-03 15:30:42 -------- d-----w C:\Program Files\Windows Media Components
2007-05-03 15:30:40 -------- d-----w C:\DOCUME~1\rasmusse\APPLIC~1\Lavasoft
2007-05-03 15:23:14 -------- d-----w C:\DOCUME~1\rasmusse\APPLIC~1\OfficeUpdate12
2007-04-18 20:51:03 -------- d-----w C:\Program Files\Yahoo!
2007-04-18 20:42:03 -------- d-----w C:\Program Files\RM to MP3 Converter
2007-04-18 20:41:24 -------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-04-18 20:38:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 20:37:55 -------- d-----w C:\Program Files\Actual Title Buttons
2007-04-12 12:30:25 -------- d-----w C:\Program Files\Google
2007-04-12 00:38:48 -------- d-----w C:\DOCUME~1\rasmusse\APPLIC~1\Google
2007-04-10 02:00:04 -------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-04-09 09:06:20 140,136 ----a-w C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
2007-04-03 18:28:25 -------- d-----w C:\Program Files\iTunes
2007-04-03 18:28:16 -------- d-----w C:\Program Files\iPod
2007-03-23 13:07:56 1,683,280 ----a-w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 13:07:54 583,504 ----a-w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 03:25:02 124,928 ----a-w C:\WINDOWS\system32\prntvpt.dll
2007-03-22 20:17:57 -------- d-----w C:\Program Files\Star Downloader
2007-03-22 19:10:25 -------- d-----w C:\DOCUME~1\rasmusse\APPLIC~1\StumbleUpon
2007-03-22 16:08:17 -------- d-----w C:\DOCUME~1\rasmusse\APPLIC~1\Apple Computer
2007-03-19 15:53:45 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 21:11:28 -------- d-----w C:\DOCUME~1\rasmusse\APPLIC~1\Actual Tools
2007-03-16 19:28:18 -------- d-----w C:\Program Files\QuickTime
2007-03-16 19:25:45 -------- d-----w C:\Program Files\Apple Software Update
2007-03-14 15:30:53 -------- d-----w C:\Program Files\ImageNow
2007-03-13 15:09:59 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-12 21:51:04 -------- d-----w C:\Program Files\IIS Resources
2007-03-09 18:59:35 -------- d-----w C:\DOCUME~1\rasmusse\APPLIC~1\Help
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 17:20:49 -------- d-----w C:\Program Files\Tag Support Plugin for Media Player
2007-03-07 01:03:23 -------- d-----w C:\Program Files\Windows Installer Clean Up
2007-03-07 01:03:12 -------- d-----w C:\Program Files\MSECache
2007-03-07 00:54:12 -------- d-----w C:\Program Files\Take Note
2007-03-05 21:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-12-07 16:06]
{42691FBE-E73B-4D64-8322-DCE8247ED44C}=C:\Program Files\Online Services\hose.dll []
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 05:20]
{638145A9-5731-4622-B9D0-03C789A43128}=C:\Program Files\Online Services\hose.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-04-11 14:34]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 15:56]
{BF4FF476-F0D6-4F43-8630-E5C7FE1A6BE9}=C:\Program Files\Online Services\hose.dll []
{CBB6FB90-08A0-4EE0-938A-45856B3EB67A}=C:\Program Files\Online Services\hose.dll []
{CD4E2748-FF22-4405-8FDC-EB20F938ECC6}=C:\Program Files\Online Services\hose.dll []
{DABE6408-BF78-41F1-9E48-FB59691831E5}=C:\Program Files\Online Services\hose.dll []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 03:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 10:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALF-PID42.exe"="C:\WINDOWS\system32\ALF-PID42.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-11 14:34]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 12:12]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"="blaster.exe"
"2"="msblast.exe"
"3"="bleep32.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-1229272821-1326574676-682003330-61543\scripts\logon\0\0
script REG_SZ \\chapman.edu\SysVol\chapman.edu\scripts\tightvnc.bat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-1229272821-1326574676-682003330-75827\scripts\logon\0\0
script REG_SZ \\chapman.edu\SysVol\chapman.edu\scripts\OutlookProfileGenerator.bat


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*newlycreated* -ENTDRV51
*newlycreated* -PROCEXP90

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 08:49:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-17 8:49:31
C:\ComboFix-quarantined-files.txt ... 2007-05-17 08:49


--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 08:59, on 2007-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZipm12.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\ImageNow\ImageTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\rasmusse\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chapman.edu/staff/ocstaff.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.chapman.edu/staff/ocstaff.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42691FBE-E73B-4D64-8322-DCE8247ED44C} - C:\Program Files\Online Services\hose.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {638145A9-5731-4622-B9D0-03C789A43128} - C:\Program Files\Online Services\hose.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BF4FF476-F0D6-4F43-8630-E5C7FE1A6BE9} - C:\Program Files\Online Services\hose.dll (file missing)
O2 - BHO: (no name) - {CBB6FB90-08A0-4EE0-938A-45856B3EB67A} - C:\Program Files\Online Services\hose.dll (file missing)
O2 - BHO: (no name) - {CD4E2748-FF22-4405-8FDC-EB20F938ECC6} - C:\Program Files\Online Services\hose.dll (file missing)
O2 - BHO: (no name) - {DABE6408-BF78-41F1-9E48-FB59691831E5} - C:\Program Files\Online Services\hose.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ALF-PID42.exe] C:\WINDOWS\system32\ALF-PID42.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: imagetray.lnk = C:\Program Files\ImageNow\ImageTray.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.chapman.edu/staff/ocstaff.asp
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted IP range: http://71.32.43.199
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/version4/w...en/AMClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v...b?1178745393394
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152145505468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152145542453
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...021/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chapman.edu
O17 - HKLM\Software\..\Telephony: DomainName = chapman.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZipm12.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe

Here ya go! Thanks for your time! - rasmusse

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 17 May 2007 - 11:21 AM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ALF-PID42.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ALF-PID42.exe
Then click on 'Send'.
Post the results into your next reply please.
Posted Image
Posted Image

#5 rasmusse

rasmusse
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 17 May 2007 - 08:00 PM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ALF-PID42.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ALF-PID42.exe
Then click on 'Send'.
Post the results into your next reply please.



I have a problem i do not have file ALF-PID42.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 May 2007 - 03:54 AM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Then try the file scan again please.
Restart your pc and post a new Hijackthis log in your next reply.

Edited by RichieUK, 18 May 2007 - 03:58 AM.

Posted Image
Posted Image

#7 rasmusse

rasmusse
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 18 May 2007 - 11:06 AM

Hello there,

I tried the above actions and also searched all files and folders including hidden etc on my computer and it still finds nothing??? Please help!!!

Thanks,
rasmusse

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 May 2007 - 12:36 PM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users