Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable To Remove Pop-ups


  • Please log in to reply
25 replies to this topic

#1 O-turn

O-turn

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 24 May 2007 - 01:21 PM

Ran Hijack this per another members request, this is what was pulled, any suggestions? Thanks in advance!!!!


Brian



Logfile of HijackThis v1.99.1
Scan saved at 2:12:06 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Documents and Settings\hodgson.POLTDESIGN\My Documents\T?sks\csrss.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Autodesk Architectural Desktop 2007\acad.exe
C:\DOCUME~1\HODGSO~1.POL\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1135805040\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe
O4 - HKLM\..\Run: [HPHUPD06] "C:\Program Files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] "C:\WINDOWS\retadpu1000272.exe" 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [{88-85-58-8F-ZN}] c:\windows\system32\nqdsregj.exe SKY002
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\yabbcd.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [Tvwprwor] "C:\Documents and Settings\hodgson.POLTDESIGN\My Documents\T?sks\csrss.exe"
O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\PPATCH~1\ati2evxx.exe" -vt ndrv
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...l?noreloadredir
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PoltDesign.local
O17 - HKLM\Software\..\Telephony: DomainName = PoltDesign.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{53DCA578-EAE7-4E05-A9FB-49FBDC745272}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6CB82B3-743B-4B5B-A5F3-67DCDDA52A87}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PoltDesign.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer = 194.54.90.226
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\Program Files\Common Files\Repro Desk\PmProtocol.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:42 AM

Posted 24 May 2007 - 02:29 PM

Hello O-turn and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts. I will be analyzing your log now, and be back with you as soon as possible!

Regards,
SNOWHITE
Posted Image

#3 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 24 May 2007 - 04:03 PM

I appreciate it Snowhite. Ive been running scans all day long :thumbsup:

My home Desktop is having this same problem, Im gonna try this method there as well. This is frustrating to say the least!

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:42 AM

Posted 25 May 2007 - 12:29 PM

Hello O-turn,

Your computer is very infected :thumbsup: Can you tell me is your antivirus working properly? I see only one service running which is connected with Norton but nothing else, even if we clean your computer and if you don't have antivirus or its not working properly, your computer will get reinfected the first time you connect to internet.

This IP address 194.54.90.226 points to Ukraine << Do you live in Ukraine?

There is a backdoor trojan detected on your system. This gives hackers full access to everything stored on the computer!
i recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

more info can be found here:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

and finally some more considerations:

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

if you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
--------------------------------------------------------------------

If you decide after all, not to re-format you can follow the steps bellow, but i cant promise you that you can trust much this computer.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Follow the steps below:

Step 1

We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.
Step 2

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Step 3

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum

Step 4

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #5 - Search and clean DNS hijack by typing 5 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Please post back with Combofix scan report, SdFix scan report, SmitfraudFix scan report, when your done with the steps above, run new scan with HijackThis and post the new log here.

Edited by SNOWHITE, 25 May 2007 - 12:30 PM.

SNOWHITE
Posted Image

#5 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 29 May 2007 - 02:50 PM

First I wanted to thank you for your help to date! This has taught me alot.

Now for the logs after I spent all day today running these sweeps!

First up is the ComboFix Log:

"hodgson" - 2007-05-29 11:19:05 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\hodgson.POLTDESIGN\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aqxfadbv.dll
C:\WINDOWS\system32\dxqgjudk.dll
C:\WINDOWS\system32\lvsarmny.dll
C:\WINDOWS\system32\tubcpghc.dll
C:\WINDOWS\system32\uafgvwxn.dll
C:\WINDOWS\system32\ybhkekry.dll
C:\WINDOWS\system32\awttrqr.dll
C:\WINDOWS\system32\cbxwxxw.dll
C:\WINDOWS\system32\hggdddc.dll
C:\WINDOWS\system32\yayaywv.dll
C:\WINDOWS\system32\vbdafxqa.ini
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\ilkkj.tmp
C:\WINDOWS\system32\ynmrasvl.ini
C:\WINDOWS\system32\nxwvgfau.ini
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\hhkmp.tmp
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\ilkkj.tmp
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\hhkmp.tmp
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\ilkkj.tmp
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\byxvutu.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\tmp17E.tmp.dll"
"C:\WINDOWS\system32\tmp190.tmp.dll"
"C:\WINDOWS\system32\tmp1C4.tmp.dll"
"C:\WINDOWS\system32\tmp245.tmp.dll"
"C:\WINDOWS\system32\tmp3AC.tmp.dll"
"C:\WINDOWS\system32\tmp4C2.tmp.dll"
"C:\WINDOWS\system32\tmp4C8.tmp.dll"
"C:\WINDOWS\system32\tmp8FA.tmp.dll"
"C:\WINDOWS\system32\tmp9EC.tmp.dll"
"C:\WINDOWS\system32\tmpE1.tmp.dll"
"C:\WINDOWS\system32\tmpEB.tmp.dll"
"C:\Program Files\outerinfo\outerinfo.ico"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\system32\wsnpoem\audio.dll.cla"
"C:\WINDOWS\system32\smpi1\lib06.exe"
"C:\WINDOWS\system32\smpi1\lib67.exe"
"C:\Temp\17O7\tmpTF.log"
"C:\Program Files\Common Files\svchost.exe"
"C:\WINDOWS\system32\wapisvsu.exe"
"C:\install.log"
"C:\WINDOWS\svchost.exe"
"C:\WINDOWS\system32\ntos.exe"
"C:\WINDOWS\system32\perfc000.dat"
"C:\WINDOWS\system32\dnsersnd.dll"
"C:\Program Files\ipwindows"
"C:\Program Files\outerinfo"
"C:\WINDOWS\system32\smpi1"
"C:\Temp\17O7"
"C:\Temp\tn3"
"C:\WINDOWS\system32\wsnpoem\audio.dll"
"C:\WINDOWS\system32\wsnpoem\video.dll"
"C:\WINDOWS\system32\drivers\core.sys"
C:\WINDOWS\system32\wsnpoem
"C:\WINDOWS\system32\perfc000.dat"

Purity Folders:

C:\Program Files\PPATCH~1
C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\SKS~1
C:\DOCUME~1\HODGSO~1.POL\MYDOCU~1\TSKS~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-29 11:40 132,660 --a------ C:\WINDOWS\system32\elqgxgjg.dll
2007-05-29 07:48 22,169 --a------ C:\WINDOWS\zzzx.exe
2007-05-26 09:43 <DIR> d-------- C:\Program Files\AutoCAD Architecture 2008
2007-05-26 09:36 <DIR> d-------- C:\Program Files\Autodesk
2007-05-26 08:43 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-05-26 08:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-05-25 13:52 106,535 --a------ C:\WINDOWS\jkjghg.dll
2007-05-25 08:48 106,496 --a------ C:\WINDOWS\system32\atl71.dll
2007-05-25 08:48 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-05-25 08:47 82,096 --a------ C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\sysprotectscannerinstall[1].exe
2007-05-24 14:40 <DIR> d-------- C:\Documents and Settings\hodgson.POLTDESIGN\.housecall6.6
2007-05-24 14:40 <DIR> d-------- C:\DOCUME~1\HODGSO~1.POL\.housecall6.6
2007-05-24 14:36 106,249 --a------ C:\WINDOWS\mlmkll.dll
2007-05-24 13:08 106,433 --a------ C:\WINDOWS\yabbcd.dll
2007-05-24 10:23 106,643 --a------ C:\WINDOWS\cbxwww.dll
2007-05-23 16:42 106,695 --a------ C:\WINDOWS\vtuuuu.dll
2007-05-23 14:04 106,387 --a------ C:\WINDOWS\mlkkig.dll
2007-05-23 09:46 106,427 --a------ C:\WINDOWS\opmlmm.dll
2007-05-23 09:12 106,578 --a------ C:\WINDOWS\awttur.dll
2007-05-23 07:58 106,570 --a------ C:\WINDOWS\geecyy.dll
2007-05-23 07:50 28,452 --a------ C:\WINDOWS\system32\ips_32.dll
2007-05-23 07:49 37,244 --a------ C:\WINDOWS\5x.exe
2007-05-21 15:45 60,928 --a------ C:\WINDOWS\system32\cqhoeat.dll
2007-05-21 15:21 <DIR> d-------- C:\{8001895B-0000-0000-2BED-7697A214FF8D}
2007-05-21 15:21 <DIR> d-------- C:\{80001679-0000-0000-9AD1-7E4C368BBF8D}
2007-05-21 15:21 <DIR> d-------- C:\{80001600-0000-0000-F2F7-71BC3E3B2BCC}
2007-05-21 13:40 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-19 09:36 <DIR> d-------- C:\WINDOWS\pss
2007-05-18 09:07 <DIR> d-------- C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\Lavasoft
2007-05-18 09:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-17 16:32 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-17 16:32 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-17 16:32 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-17 16:32 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-17 16:32 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-17 16:31 <DIR> d-------- C:\Program Files\Webroot
2007-05-17 16:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-17 16:29 164 --a------ C:\install.dat
2007-05-17 16:26 <DIR> d-------- C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\Webroot
2007-05-16 17:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 10:08 <DIR> d-------- C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\Symantec
2007-05-14 19:37 31,633 --a------ C:\WINDOWS\497x.exe
2007-05-14 19:18 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-14 18:57 <DIR> d-------- C:\7700PMICC
2007-05-14 18:56 1,742,848 --a------ C:\7700enw2kpsPMICC.exe
2007-05-14 18:51 31,650,304 --a------ C:\xerox-en.exe
2007-05-14 17:57 <DIR> d-------- C:\Program Files\Ofb11
2007-05-14 05:37 31,633 --a------ C:\WINDOWS\457x.exe
2007-05-08 07:45 166 --a------ C:\WINDOWS\system32\wincrc32ie.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-29 15:43:17 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2007-05-29 15:43:17 288 ----a-w C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2007-05-26 13:51:06 -------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-05-26 13:46:26 -------- d-----w C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\Autodesk
2007-05-23 20:57:29 -------- d-----w C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\U3
2007-05-21 15:02:14 -------- d-----w C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\AdobeUM
2007-05-19 15:50:17 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-18 13:04:47 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-15 18:16:08 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-15 18:15:22 -------- d-----w C:\Program Files\AWS
2007-05-15 18:13:38 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-14 21:57:02 -------- d-----w C:\Program Files\Messenger
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-06 14:54:53 -------- d-----w C:\DOCUME~1\HODGSO~1.POL\APPLIC~1\LimeWire
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
1997-06-23 17:06:50 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{15EAF32F-E910-66D5-9145-A0FEDA5A8A51}=C:\WINDOWS\atlsg32.dll []
{1E932401-0C0D-07C1-B371-2D31B1011423}=C:\WINDOWS\system32\sysau32.dll []
{1F195898-75C1-B324-AE86-A5B30E2B2DD9}=C:\WINDOWS\system32\mstq.dll []
{3E1500AC-87A5-416b-A211-82E848649DA9}=C:\PROGRA~1\Ofb11\Ofb11.dll [2007-05-14 17:57]
{422293B6-7937-4977-E2B9-68E6C8612772}=C:\Program Files\Messenger\lawuneb.dll []
{43DCBA96-1EB4-0E16-9598-2CC35C216F9B}=C:\WINDOWS\system32\ipuo32.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{9D0E1E61-D4A3-FA72-887B-FEADDECA73B4}=C:\WINDOWS\system32\cqhoeat.dll [2007-05-21 09:59]
{A083D124-0F96-5115-604E-3D33D4D1992F}=C:\WINDOWS\ipbx.dll []
{B9E5C319-ACB8-47FD-8F33-FE6D63D0E5C4}=C:\WINDOWS\system32\pmkhh.dll []
{C01397B5-886F-E2A8-2FDD-7B4758D1AE8E}=C:\WINDOWS\apiuq.dll []
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []
{CAE5D01E-D1D5-0A94-36DA-A1764B33E959}=C:\WINDOWS\system32\crkn32.dll []
{CC5AFA72-4288-6A51-FC72-73963AF5CDDA}=C:\WINDOWS\system32\atlcb32.dll []
{CE9F8009-C44E-E5EA-C0CB-75CE8EB66346}=C:\WINDOWS\system32\atltz32.dll []
{DC1BEB49-52FD-B52A-2322-373696ED2DB1}=C:\WINDOWS\system32\msvy.dll []
{E60FF9E4-570D-C936-5208-5AC75C21B9E0}=C:\WINDOWS\sdkhy32.dll []
{ED830CF4-EFAE-38BE-EA96-5BCE8BE5B60C}=C:\WINDOWS\system32\ipmp.dll []
{f4df9599-4654-41c4-9d55-0a5dd939d280}=C:\WINDOWS\system32\ips_32.dll [2007-05-23 07:50]
{FC72CC24-F754-BD19-FD0E-852C1775E57D}=C:\WINDOWS\system32\netmh32.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-01-27 19:51 C:\WINDOWS\system32\cthelper.exe]
"sdklv32.exe"="" []
"S4Fhvc"="" []
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-12 13:24]
"HostManager"="C:\Program Files\Common Files\AOL\1135805040\ee\AOLSoftware.exe" [2005-11-02 23:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 11:58]
"HPHUPD06"="C:\Program Files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe" [2004-12-16 04:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:57]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 17:13]
"Arma"="C:\PROGRA~1\PPATCH~1\ati2evxx.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewContextMenu"=0 (0x0)
"NoActiveDesktopChanges"=-
"DisableLocalMachineRun"=-
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ips_32]
ips_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhh]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32]
winwil32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


Contents of the 'Scheduled Tasks' folder
2007-05-29 12:07:24 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-05-17 20:32:38 C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 11:46:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 11:48:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-29 11:48

--- E O F ---

#6 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 29 May 2007 - 02:51 PM

Ok, now to the ComboFix Quarantined Files.txt it created (Not sure if this is needed, but here it is)

2004-08-04 03:56	  81296	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ntos.exe.vir
2006-06-20 08:53	  205	--a------	C:\Qoobox\Quarantine\C\INSTALL.LOG.vir
2007-01-12 16:00	  18031	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
2007-03-06 11:59	  34494	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir
2007-04-30 12:36	  135168	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\smpi1\lib67.exe.vir
2007-05-13 20:41	  11862	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\smpi1\lib06.exe.vir
2007-05-14 17:56	  249816	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2007-05-14 17:56	  72320	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
2007-05-14 17:56	  94208	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\dnsersnd.dll.vir
2007-05-14 17:56	  958	--a------	C:\Qoobox\Quarantine\C\TEMP\17O7\tmpTF.log.vir
2007-05-14 17:57	  29206	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\byxvutu.dll.vir
2007-05-14 17:58	  71168	--a------	C:\Qoobox\Quarantine\C\Program Files\Common Files\svchost.exe.vir
2007-05-14 18:05	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tubcpghc.dll.vir
2007-05-15 10:12	  1492769	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\hhkmp.tmp.vir
2007-05-15 13:53	  29206	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\cbxwxxw.dll.vir
2007-05-17 11:48	  29206	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\hggdddc.dll.vir
2007-05-18 15:52	  1498856	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\hhkmp.bak1.vir
2007-05-18 16:02	  1499446	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\hhkmp.ini2.vir
2007-05-19 09:07	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\lvsarmny.dll.vir
2007-05-19 09:07	  1498318	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ilkkj.bak1.vir
2007-05-19 09:07	  262708	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkli.dll.vir
2007-05-19 09:07	  833162	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ynmrasvl.ini.vir
2007-05-19 11:08	  29206	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\yayaywv.dll.vir
2007-05-21 07:50	  29206	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\awttrqr.dll.vir
2007-05-21 10:00	  228864	---------	C:\Qoobox\Quarantine\C\DOCUME~1\HODGSO~1.POL\MYDOCU~1\TSKS~1\csrss.exe
2007-05-21 15:45	  2	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wapisvsu.exe.vir
2007-05-23 07:50	  1535743	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ilkkj.ini.vir
2007-05-23 07:57	  38192	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpE1.tmp.dll.vir
2007-05-23 09:12	  38135	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp17E.tmp.dll.vir
2007-05-23 12:58	  1526014	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ilkkj.tmp.vir
2007-05-23 16:08	  38235	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp4C2.tmp.dll.vir
2007-05-23 16:42	  38235	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp4C8.tmp.dll.vir
2007-05-24 08:19	  38296	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp1C4.tmp.dll.vir
2007-05-24 11:40	  38274	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp245.tmp.dll.vir
2007-05-24 13:05	  38274	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp9EC.tmp.dll.vir
2007-05-25 08:43	  38072	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpEB.tmp.dll.vir
2007-05-25 08:46	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\dxqgjudk.dll.vir
2007-05-25 11:28	  38072	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp3AC.tmp.dll.vir
2007-05-25 12:58	  38324	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp8FA.tmp.dll.vir
2007-05-26 08:21	  1083839	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\nxwvgfau.ini.vir
2007-05-26 08:21	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\uafgvwxn.dll.vir
2007-05-26 08:23	  50745	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ybhkekry.dll.vir
2007-05-29 07:48	  22169	--a------	C:\Qoobox\Quarantine\C\WINDOWS\svchost.exe.vir
2007-05-29 07:48	  379	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wsnpoem\audio.dll.cla.vir
2007-05-29 10:01	  71680	---------	C:\Qoobox\Quarantine\C\Program Files\PPATCH~1\ati2evxx.exe
2007-05-29 10:07	  39182	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp190.tmp.dll.vir
2007-05-29 10:48	  3732	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wsnpoem\video.dll.vir
2007-05-29 11:17	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\aqxfadbv.dll.vir
2007-05-29 11:18	  1085424	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vbdafxqa.ini.vir
2007-05-29 11:33	  1220	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-05-29 11:33	  702	--a------	C:\Qoobox\Quarantine\Registry_backups\hklm_windowsNT_windows.reg.cf
2007-05-29 11:33	  994	--a------	C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf
2007-05-29 11:34	  1579270	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ilkkj.bak2.vir
2007-05-29 11:36	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wsnpoem\audio.dll.vir
2007-05-29 11:36	  6144	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\perfc000.dat.vir
2007-05-29 11:37	  1543986	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ilkkj.ini2.vir


Folder PATH listing
Volume serial number is F048-858F
C:\QOOBOX
\---Quarantine
	+---C
	|   |   INSTALL.LOG.vir
	|   |   
	|   +---DOCUME~1
	|   |   \---HODGSO~1.POL
	|   |	   +---APPLIC~1
	|   |	   |   \---SKS~1
	|   |	   \---MYDOCU~1
	|   |		   \---TSKS~1
	|   |				   csrss.exe
	|   |				   
	|   +---Program Files
	|   |   +---Common Files
	|   |   |	   svchost.exe.vir
	|   |   |	   
	|   |   +---Outerinfo
	|   |   |	   outerinfo.ico.vir
	|   |   |	   Terms.rtf.vir
	|   |   |	   
	|   |   \---PPATCH~1
	|   |	   |   ati2evxx.exe
	|   |	   |   
	|   |	   \---ŕ?pPatch
	|   +---TEMP
	|   |   \---17O7
	|   |		   tmpTF.log.vir
	|   |		   
	|   \---WINDOWS
	|	   |   svchost.exe.vir
	|	   |   
	|	   \---system32
	|		   |   aqxfadbv.dll.vir
	|		   |   awttrqr.dll.vir
	|		   |   byxvutu.dll.vir
	|		   |   cbxwxxw.dll.vir
	|		   |   dnsersnd.dll.vir
	|		   |   dxqgjudk.dll.vir
	|		   |   hggdddc.dll.vir
	|		   |   hhkmp.bak1.vir
	|		   |   hhkmp.ini2.vir
	|		   |   hhkmp.tmp.vir
	|		   |   ilkkj.bak1.vir
	|		   |   ilkkj.bak2.vir
	|		   |   ilkkj.ini.vir
	|		   |   ilkkj.ini2.vir
	|		   |   ilkkj.tmp.vir
	|		   |   jkkli.dll.vir
	|		   |   lvsarmny.dll.vir
	|		   |   ntos.exe.vir
	|		   |   nxwvgfau.ini.vir
	|		   |   perfc000.dat.vir
	|		   |   tmp17E.tmp.dll.vir
	|		   |   tmp190.tmp.dll.vir
	|		   |   tmp1C4.tmp.dll.vir
	|		   |   tmp245.tmp.dll.vir
	|		   |   tmp3AC.tmp.dll.vir
	|		   |   tmp4C2.tmp.dll.vir
	|		   |   tmp4C8.tmp.dll.vir
	|		   |   tmp8FA.tmp.dll.vir
	|		   |   tmp9EC.tmp.dll.vir
	|		   |   tmpE1.tmp.dll.vir
	|		   |   tmpEB.tmp.dll.vir
	|		   |   tubcpghc.dll.vir
	|		   |   uafgvwxn.dll.vir
	|		   |   vbdafxqa.ini.vir
	|		   |   wapisvsu.exe.vir
	|		   |   yayaywv.dll.vir
	|		   |   ybhkekry.dll.vir
	|		   |   ynmrasvl.ini.vir
	|		   |   
	|		   +---drivers
	|		   |	   core.cache.dsk.vir
	|		   |	   core.sys.vir
	|		   |	   
	|		   +---smpi1
	|		   |	   lib06.exe.vir
	|		   |	   lib67.exe.vir
	|		   |	   
	|		   \---wsnpoem
	|				   audio.dll.cla.vir
	|				   audio.dll.vir
	|				   video.dll.vir
	|				   
	\---Registry_backups
			hklm_windowsNT_windows.reg.cf
			LEGACY_CORE.reg.cf
			services_core.reg.cf


#7 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 29 May 2007 - 02:53 PM

Onto the SDfix.exe programs findings...



SDFix: Version 1.85

Run by hodgson - 2007-05-29 - 13:34:44.03

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\HODGSO~1.POL\Desktop\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\wr.txt - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\HODGSO~1.POL\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\Msxbse35.dll
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a4d39c2f7be96e0f7781366e38b32e79\BIT8E.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

I also ran the catchme.exe from SDfix:

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

#8 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 29 May 2007 - 02:55 PM

The SmitfraudFix determinations...

SmitFraudFix v2.188

Scan done at 13:56:02.28, 2007-05-29
Run from C:\Documents and Settings\hodgson.POLTDESIGN\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Your computer may be victim of a DNS Hijack: 194.54.x.x detected !

Description: 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) - Packet Scheduler Miniport
DNS Server Search Order: 194.54.90.226

HKLM\SYSTEM\CCS\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{53DCA578-EAE7-4E05-A9FB-49FBDC745272}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E6CB82B3-743B-4B5B-A5F3-67DCDDA52A87}: DhcpNameServer=192.168.1.40
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E6CB82B3-743B-4B5B-A5F3-67DCDDA52A87}: NameServer=194.54.90.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer=194.54.90.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{53DCA578-EAE7-4E05-A9FB-49FBDC745272}: NameServer=194.54.90.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E6CB82B3-743B-4B5B-A5F3-67DCDDA52A87}: DhcpNameServer=192.168.1.40
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E6CB82B3-743B-4B5B-A5F3-67DCDDA52A87}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.40
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.40

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

HKLM\SYSTEM\CCS\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{53DCA578-EAE7-4E05-A9FB-49FBDC745272}: NameServer=194.54.90.226

#9 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 29 May 2007 - 02:57 PM

And last but not least, the Hijack this findings:

Logfile of HijackThis v1.99.1
Scan saved at 14:04, on 2007-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {15EAF32F-E910-66D5-9145-A0FEDA5A8A51} - C:\WINDOWS\atlsg32.dll (file missing)
O2 - BHO: Class - {1E932401-0C0D-07C1-B371-2D31B1011423} - C:\WINDOWS\system32\sysau32.dll (file missing)
O2 - BHO: Class - {1F195898-75C1-B324-AE86-A5B30E2B2DD9} - C:\WINDOWS\system32\mstq.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: 0 - {422293B6-7937-4977-E2B9-68E6C8612772} - C:\Program Files\Messenger\lawuneb.dll (file missing)
O2 - BHO: Class - {43DCBA96-1EB4-0E16-9598-2CC35C216F9B} - C:\WINDOWS\system32\ipuo32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9D0E1E61-D4A3-FA72-887B-FEADDECA73B4} - C:\WINDOWS\system32\cqhoeat.dll
O2 - BHO: Class - {A083D124-0F96-5115-604E-3D33D4D1992F} - C:\WINDOWS\ipbx.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B9E5C319-ACB8-47FD-8F33-FE6D63D0E5C4} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: Class - {C01397B5-886F-E2A8-2FDD-7B4758D1AE8E} - C:\WINDOWS\apiuq.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: Class - {CAE5D01E-D1D5-0A94-36DA-A1764B33E959} - C:\WINDOWS\system32\crkn32.dll (file missing)
O2 - BHO: (no name) - {CC5AFA72-4288-6A51-FC72-73963AF5CDDA} - C:\WINDOWS\system32\atlcb32.dll (file missing)
O2 - BHO: Class - {CE9F8009-C44E-E5EA-C0CB-75CE8EB66346} - C:\WINDOWS\system32\atltz32.dll (file missing)
O2 - BHO: Class - {DC1BEB49-52FD-B52A-2322-373696ED2DB1} - C:\WINDOWS\system32\msvy.dll (file missing)
O2 - BHO: (no name) - {E60FF9E4-570D-C936-5208-5AC75C21B9E0} - C:\WINDOWS\sdkhy32.dll (file missing)
O2 - BHO: Class - {ED830CF4-EFAE-38BE-EA96-5BCE8BE5B60C} - C:\WINDOWS\system32\ipmp.dll (file missing)
O2 - BHO: (no name) - {f4df9599-4654-41c4-9d55-0a5dd939d280} - C:\WINDOWS\system32\ips_32.dll
O2 - BHO: Class - {FC72CC24-F754-BD19-FD0E-852C1775E57D} - C:\WINDOWS\system32\netmh32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1135805040\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD06] "C:\Program Files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\PPATCH~1\ati2evxx.exe" -vt ndrv
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...l?noreloadredir
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PoltDesign.local
O17 - HKLM\Software\..\Telephony: DomainName = PoltDesign.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{53DCA578-EAE7-4E05-A9FB-49FBDC745272}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PoltDesign.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer = 194.54.90.226
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\Program Files\Common Files\Repro Desk\PmProtocol.dll
O20 - Winlogon Notify: ips_32 - C:\WINDOWS\SYSTEM32\ips_32.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwil32 - winwil32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#10 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 29 May 2007 - 02:59 PM

Let me know what you think of all those findings, and if I need to do anything again or new. I really appreciate your help, and I am in the United States :thumbsup: Not the Ukraine!

Brian

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:42 AM

Posted 29 May 2007 - 03:25 PM

Let me know what you think of all those findings, and if I need to do anything again or new. I really appreciate your help, and I am in the United States :thumbsup: Not the Ukraine!

Brian


Hello Brian,

:flowers: I will need some time to see what has been done and cleaned so far. Some time tomorrow i will post new instructions for you.

In the mean time can you tell me is your antivirus working properly, and has the latest updates, also when was the last time you scaned your computer with it?

Regards,
SNOWHITE
Posted Image

#12 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 30 May 2007 - 07:32 AM

My boss has norton on order, and an IT person coming out to install something on the server this week, and the antivirus on our computers. I am running Firefox and Spysweeper with antivirus in the mean time. Ive run spybot and ad-aware 3 times since completing your instructions and its only turning up 1 or 2 tracking cookies each time, as opposed to the 30 some items I had before show up.

#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:42 AM

Posted 31 May 2007 - 11:12 AM

O-turn,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER

Please follow the steps below exactly in the order they are written:

Step 1

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: Class - {15EAF32F-E910-66D5-9145-A0FEDA5A8A51} - C:\WINDOWS\atlsg32.dll (file missing)
O2 - BHO: Class - {1E932401-0C0D-07C1-B371-2D31B1011423} - C:\WINDOWS\system32\sysau32.dll (file missing)
O2 - BHO: Class - {1F195898-75C1-B324-AE86-A5B30E2B2DD9} - C:\WINDOWS\system32\mstq.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: 0 - {422293B6-7937-4977-E2B9-68E6C8612772} - C:\Program Files\Messenger\lawuneb.dll (file missing)
O2 - BHO: Class - {43DCBA96-1EB4-0E16-9598-2CC35C216F9B} - C:\WINDOWS\system32\ipuo32.dll (file missing)
O2 - BHO: (no name) - {9D0E1E61-D4A3-FA72-887B-FEADDECA73B4} - C:\WINDOWS\system32\cqhoeat.dll
O2 - BHO: Class - {A083D124-0F96-5115-604E-3D33D4D1992F} - C:\WINDOWS\ipbx.dll (file missing)
O2 - BHO: (no name) - {B9E5C319-ACB8-47FD-8F33-FE6D63D0E5C4} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: Class - {C01397B5-886F-E2A8-2FDD-7B4758D1AE8E} - C:\WINDOWS\apiuq.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: Class - {CAE5D01E-D1D5-0A94-36DA-A1764B33E959} - C:\WINDOWS\system32\crkn32.dll (file missing)
O2 - BHO: (no name) - {CC5AFA72-4288-6A51-FC72-73963AF5CDDA} - C:\WINDOWS\system32\atlcb32.dll (file missing)
O2 - BHO: Class - {CE9F8009-C44E-E5EA-C0CB-75CE8EB66346} - C:\WINDOWS\system32\atltz32.dll (file missing)
O2 - BHO: Class - {DC1BEB49-52FD-B52A-2322-373696ED2DB1} - C:\WINDOWS\system32\msvy.dll (file missing)
O2 - BHO: (no name) - {E60FF9E4-570D-C936-5208-5AC75C21B9E0} - C:\WINDOWS\sdkhy32.dll (file missing)
O2 - BHO: Class - {ED830CF4-EFAE-38BE-EA96-5BCE8BE5B60C} - C:\WINDOWS\system32\ipmp.dll (file missing)
O2 - BHO: (no name) - {f4df9599-4654-41c4-9d55-0a5dd939d280} - C:\WINDOWS\system32\ips_32.dll
O2 - BHO: Class - {FC72CC24-F754-BD19-FD0E-852C1775E57D} - C:\WINDOWS\system32\netmh32.dll (file missing)
O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\PPATCH~1\ati2evxx.exe" -vt ndrv
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...l?noreloadredir
O17 - HKLM\System\CCS\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{53DCA578-EAE7-4E05-A9FB-49FBDC745272}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{17477753-2739-46EA-8019-A437859AEF0B}: NameServer = 194.54.90.226
O20 - Winlogon Notify: ips_32 - C:\WINDOWS\SYSTEM32\ips_32.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: winwil32 - winwil32.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step 2

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
C:\WINDOWS\system32\elqgxgjg.dll
C:\WINDOWS\zzzx.exe
C:\WINDOWS\jkjghg.dll
C:\WINDOWS\system32\mfc71.dll
C:\Documents and Settings\hodgson.POLTDESIGN\Application Data\sysprotectscannerinstall[1].exe
C:\WINDOWS\mlmkll.dll
C:\WINDOWS\yabbcd.dll
C:\WINDOWS\cbxwww.dll
C:\WINDOWS\vtuuuu.dll
C:\WINDOWS\mlkkig.dll
C:\WINDOWS\opmlmm.dll
C:\WINDOWS\awttur.dll
C:\WINDOWS\geecyy.dll
C:\WINDOWS\system32\ips_32.dll
C:\WINDOWS\5x.exe
C:\WINDOWS\system32\cqhoeat.dll
C:\WINDOWS\497x.exe
C:\WINDOWS\457x.exe
C:\WINDOWS\system32\wincrc32ie.dll
C:\WINDOWS\system32\pmkhh.dll

Folders to delete:
C:\{8001895B-0000-0000-2BED-7697A214FF8D}
C:\{80001679-0000-0000-9AD1-7E4C368BBF8D}
C:\{80001600-0000-0000-F2F7-71BC3E3B2BCC}
C:\Program Files\Ofb11

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ips_32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32


Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sdklv32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | S4Fhvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | @


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your next reply.

Step 3

a.) Download AVG Anti-Spyware from HERE and save that file to your desktop.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

b.) Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
NOTE: if you are unable to update the definition files, you can perform manual update by going to the following site http://www.ewido.net/en/download/updates/

Step 4

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Step 5

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Please post back with avenger.txt, AVG Anti-Spyware report scan, Blacklight report, dss scan reports main.txt and extra.txt. :thumbsup:
SNOWHITE
Posted Image

#14 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 31 May 2007 - 12:30 PM

Again, Your help is greatly appreciated!

I will run these directions hopefully tommorrow morning and have the lists posted by the afternoon!

#15 O-turn

O-turn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 01 June 2007 - 07:24 AM

Ok, I ran the programs specified, here is the avenger.txt file:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fglvrrxk

*******************

Script file located at: \??\C:\Program Files\cslyogxj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.dat deleted successfully.
File C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.dat deleted successfully.
File C:\WINDOWS\system32\elqgxgjg.dll deleted successfully.
File C:\WINDOWS\zzzx.exe deleted successfully.
File C:\WINDOWS\jkjghg.dll deleted successfully.
File C:\WINDOWS\system32\mfc71.dll deleted successfully.
File C:\Documents and Settings\hodgson.POLTDESIGN\Application Data\sysprotectscannerinstall[1].exe deleted successfully.
File C:\WINDOWS\mlmkll.dll deleted successfully.
File C:\WINDOWS\yabbcd.dll deleted successfully.
File C:\WINDOWS\cbxwww.dll deleted successfully.
File C:\WINDOWS\vtuuuu.dll deleted successfully.
File C:\WINDOWS\mlkkig.dll deleted successfully.
File C:\WINDOWS\opmlmm.dll deleted successfully.
File C:\WINDOWS\awttur.dll deleted successfully.
File C:\WINDOWS\geecyy.dll deleted successfully.
File C:\WINDOWS\system32\ips_32.dll deleted successfully.
File C:\WINDOWS\5x.exe deleted successfully.


File C:\WINDOWS\system32\cqhoeat.dll not found!
Deletion of file C:\WINDOWS\system32\cqhoeat.dll failed!

Could not process line:
C:\WINDOWS\system32\cqhoeat.dll
Status: 0xc0000034

File C:\WINDOWS\497x.exe deleted successfully.
File C:\WINDOWS\457x.exe deleted successfully.
File C:\WINDOWS\system32\wincrc32ie.dll deleted successfully.


File C:\WINDOWS\system32\pmkhh.dll not found!
Deletion of file C:\WINDOWS\system32\pmkhh.dll failed!

Could not process line:
C:\WINDOWS\system32\pmkhh.dll
Status: 0xc0000034

Folder C:\{8001895B-0000-0000-2BED-7697A214FF8D} deleted successfully.
Folder C:\{80001679-0000-0000-9AD1-7E4C368BBF8D} deleted successfully.
Folder C:\{80001600-0000-0000-F2F7-71BC3E3B2BCC} deleted successfully.


Folder C:\Program Files\Ofb11 not found!
Deletion of folder C:\Program Files\Ofb11 failed!

Could not process line:
C:\Program Files\Ofb11
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ips_32 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhh not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhh failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32 failed!
Status: 0xc0000034

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sdklv32.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|S4Fhvc deleted successfully.


Could not delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|@
Deletion of registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|@ failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users