Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
16 replies to this topic

#1 BewilderedStranger

BewilderedStranger

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 11 July 2007 - 04:34 PM

I've had popups and all that mess and I've seen signs of vundo and gone through that process then someone said smitfraud and I went through that process but still have got something going on. I get a popup that can't load and takes forever to get the computer back you end now on task manager and it won't do anything for several moments. Anyhow here's the log. I would appreciate any help.
Logfile of HijackThis v1.99.1
Scan saved at 4:09:23 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lmsxxef.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Monte Harris.ROSY\Desktop\analyze.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [XE Fax LM Status] lmsxxef.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\hmngaqy.dll,TurnOn2
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: 3Com Video Launcher.lnk = C:\Program Files\3Com PC Digital WebCam Lite\videolaunch.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: XE_fx Status Monitor.lnk = C:\Program Files\XWC_90fx\X9ENGSS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: SQL Server (KBMSS) (MSSQL$KBMSS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sKBMSS (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)

Edited by BewilderedStranger, 12 July 2007 - 11:46 AM.


BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 AM

Posted 20 July 2007 - 08:44 AM

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Greets Jürgenv

Donation: Click me.

#3 BewilderedStranger

BewilderedStranger
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 27 July 2007 - 11:57 AM

New Logfiles
Hey I really appreciate your help.



"Monte Harris" - 2007-07-27 11:44:17 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\MONTEH~1.ROS\Desktop\internet.lnk
C:\Program Files\PopsMedia Site Adviser
C:\Program Files\PopsMedia Site Adviser\vm5_killer.exe


((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


2007-07-27 11:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 18:01 <DIR> d-------- C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Apple Computer
2007-07-15 11:48 <DIR> d-------- C:\DOCUME~1\MONTEH~1.ROS\.housecall6.6
2007-07-11 15:20 786,432 --ah----- C:\DOCUME~1\ADMINI~1.ROS\NTUSER.DAT
2007-07-11 15:17 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-11 15:17 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-11 15:17 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-11 15:17 2,566 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-11 15:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-07-11 14:27 <DIR> d-------- C:\VundoFix Backups
2007-07-11 14:15 <DIR> d-------- C:\WINDOWS\pss
2007-07-11 10:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-11 09:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-07-11 09:18 53,248 --a------ C:\WINDOWS\system32\hmngaqy.dll
2007-07-03 00:00 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-02 23:58 <DIR> d-------- C:\DOCUME~1\DONHAR~2\APPLIC~1\Apple Computer
2007-07-02 23:57 <DIR> d-------- C:\Program Files\iTunes
2007-07-02 23:57 <DIR> d-------- C:\Program Files\iPod
2007-07-02 23:55 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-02 23:54 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-02 23:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-07-02 23:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple Computer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 18:10:08 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-11 19:03:55 -------- d-----w C:\Program Files\Live_TV
2007-07-11 19:01:38 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 19:01:35 -------- d-----w C:\Program Files\Lavasoft
2007-07-03 04:56:41 -------- d-----w C:\Program Files\QuickTime
2007-07-02 22:42:57 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-01 08:09:25 -------- d-----w C:\Program Files\National Instruments
2007-06-26 19:34:23 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Thunderbird
2007-06-22 10:14:18 0 ----a-w C:\WINDOWS\nsreg.dat
2007-06-16 01:29:26 -------- d-----w C:\Program Files\GIMP-2.0
2007-06-16 01:28:35 -------- d-----w C:\Program Files\Common Files\GTK
2007-06-10 16:37:14 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\ConvertTemp
2007-06-10 16:37:13 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\TransRender
2007-06-10 16:37:13 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Temporary
2007-06-10 01:29:50 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Samsung
2007-06-10 01:27:11 5,632 ----a-w C:\WINDOWS\system32\drivers\StarOpen.sys
2007-06-10 01:21:34 -------- d-----w C:\Program Files\Samsung
2007-06-10 01:21:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 09:07:36 -------- d-----w C:\Program Files\BitScope


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E26CEADA-67B0-4543-BE8B-307F00265118}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"XE Fax LM Status"="lmsxxef.exe" [1999-10-12 09:53 C:\WINDOWS\system32\LMSXXEF.exe]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [1998-12-10 13:57]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-10 12:33]
"dbservices"="scm -Silent 1 -Action 1 -Service mssqlserver" []
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2007-02-24 02:34]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SecurityUpdate"="C:\WINDOWS\system32\hmngaqy.dll" [2007-07-11 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
3Com Video Launcher.lnk - C:\Program Files\3Com PC Digital WebCam Lite\videolaunch.exe [2005-07-30 09:49:33]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-04-20 21:02:09]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-02-27 18:45:31]
XE_fx Status Monitor.lnk - C:\Program Files\XWC_90fx\X9ENGSS.EXE [2005-12-19 00:29:21]

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys
R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers\nipbcfk.sys
R1 nikbd;LabVIEW DSC Module Keyboard Filter;C:\WINDOWS\system32\drivers\nikbd.sys
R1 StarOpen;StarOpen;C:\WINDOWS\system32\drivers\StarOpen.sys
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 MSSQL$KBMSS;SQL Server (KBMSS);"C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sKBMSS
R2 MSSQL$MICROSOFTSMLBIZ;MSSQL$MICROSOFTSMLBIZ;"C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe"
R2 NICitadel5Service;National Instruments Citadel;C:\WINDOWS\system32\nicitdl5.exe
R2 nidevldu;NI Device Loader;C:\WINDOWS\system32\nipalsm.exe
R2 nipxirmk;nipxirmk;\??\C:\WINDOWS\system32\drivers\nipxirmkl.sys
R2 nipxirmu;NI PXI Resource Manager;C:\WINDOWS\system32\nipalsm.exe
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe"
R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys
R2 SQLBrowser;SQL Server Browser;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 VSP1284D;VSP1284D;\??\C:\WINDOWS\system32\vsp1284d.sys
R3 DCamUSBLTN;3Com PC WebCam Lite;C:\WINDOWS\system32\DRIVERS\vqcam.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 nidimk;nidimk;\??\C:\WINDOWS\system32\drivers\nidimkl.sys
R3 nimdbgk;nimdbgk;\??\C:\WINDOWS\system32\drivers\nimdbgkl.sys
R3 nimru2k;nimru2k;\??\C:\WINDOWS\system32\drivers\nimru2kl.sys
R3 nimstsk;nimstsk;\??\C:\WINDOWS\system32\drivers\nimstskl.sys
R3 nimxdfk;nimxdfk;\??\C:\WINDOWS\system32\drivers\nimxdfkl.sys
R3 niscdk;niscdk;\??\C:\WINDOWS\system32\drivers\niscdkl.sys
R3 nixsrk;nixsrk;\??\C:\WINDOWS\system32\drivers\nixsrkl.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\system32\drivers\NSDriver.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 lvalarmk;lvalarmk;\??\C:\WINDOWS\system32\drivers\lvalarmk.sys
S3 ni1006k;NI PXI-1006 Chassis Pilot;\??\C:\WINDOWS\system32\drivers\ni1006k.sys
S3 ni1045k;NI PXI-1045 Chassis Pilot;\??\C:\WINDOWS\system32\drivers\ni1045kl.sys
S3 nicdrk;nicdrk;\??\C:\WINDOWS\system32\drivers\nicdrkl.sys
S3 nidmxfk;nidmxfk;\??\C:\WINDOWS\system32\drivers\nidmxfkl.sys
S3 nidsark;nidsark;\??\C:\WINDOWS\system32\drivers\nidsarkl.sys
S3 niemrk;niemrk;\??\C:\WINDOWS\system32\drivers\niemrkl.sys
S3 niesrk;niesrk;\??\C:\WINDOWS\system32\drivers\niesrkl.sys
S3 nifslk;nifslk;\??\C:\WINDOWS\system32\drivers\nifslkl.sys
S3 nimsdrk;nimsdrk;\??\C:\WINDOWS\system32\drivers\nimsdrkl.sys
S3 nimslk;nimslk;\??\C:\WINDOWS\system32\drivers\nimslk.dll
S3 nimsrlk;nimsrlk;\??\C:\WINDOWS\system32\drivers\nimsrlk.dll
S3 nimxpk;nimxpk;\??\C:\WINDOWS\system32\drivers\nimxpkl.sys
S3 ninshsdk;ninshsdk;\??\C:\WINDOWS\system32\drivers\ninshsdkl.sys
S3 niorbk;niorbk;\??\C:\WINDOWS\system32\drivers\niorbkl.sys
S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers\nipalfwedl.sys
S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers\nipalusbedl.sys
S3 nipxigpk;NI PXI Generic Chassis Pilot;\??\C:\WINDOWS\system32\drivers\nipxigpk.sys
S3 nisdigk;nisdigk;\??\C:\WINDOWS\system32\drivers\nisdigkl.sys
S3 nisftk;nisftk;\??\C:\WINDOWS\system32\drivers\nisftkl.sys
S3 nismbusk;nismbusk;\??\C:\WINDOWS\system32\drivers\nismbusk.sys
S3 nispdk;nispdk;\??\C:\WINDOWS\system32\drivers\nispdkl.sys
S3 nissrk;nissrk;\??\C:\WINDOWS\system32\drivers\nissrkl.sys
S3 nistc2k;nistc2k;\??\C:\WINDOWS\system32\drivers\nistc2kl.sys
S3 nistcrk;nistcrk;\??\C:\WINDOWS\system32\drivers\nistcrkl.sys
S3 niswdk;niswdk;\??\C:\WINDOWS\system32\drivers\niswdkl.sys
S3 nitiork;nitiork;\??\C:\WINDOWS\system32\drivers\nitiorkl.sys
S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys
S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys
S3 niwfrk;niwfrk;\??\C:\WINDOWS\system32\drivers\niwfrkl.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys
S3 SQLAgent$MICROSOFTSMLBIZ;SQLAgent$MICROSOFTSMLBIZ;"C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 usb6xxxk;usb6xxxk;\??\C:\WINDOWS\system32\drivers\usb6xxxk.sys

*Newly Created Service* - HTTPFILTER
*Newly Created Service* - NIPALK

Contents of the 'Scheduled Tasks' folder
2007-07-24 23:49:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-27 07:14:47 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 11:51:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000bd

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-27 11:53:38
C:\ComboFix-quarantined-files.txt ... 2007-07-27 11:52

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:38 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lmsxxef.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [XE Fax LM Status] lmsxxef.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\hmngaqy.dll,TurnOn2
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 3Com Video Launcher.lnk = C:\Program Files\3Com PC Digital WebCam Lite\videolaunch.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: XE_fx Status Monitor.lnk = C:\Program Files\XWC_90fx\X9ENGSS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 7392 bytes

Edited by BewilderedStranger, 27 July 2007 - 12:02 PM.


#4 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 AM

Posted 27 July 2007 - 12:08 PM

Download next tool to a place where you'll find it easily:

http://djlizard.net/Dial-a-fix-2006-09-19.exe

Doubleclick Dial-a-fix-2006-09-19.exe to start the program. Check everything in the main window and click on 'go'.
Let the tool do his job and reboot your system, after that, try to set your time manually.
Greets Jürgenv

Donation: Click me.

#5 BewilderedStranger

BewilderedStranger
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 27 July 2007 - 05:40 PM

Okay I was able to set the time manually but it seemed to take forever to open my date and time properties box. Here's the new logfile I didn't know if you needed another one or if we were done or what. Again I appreciate all your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:18 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lmsxxef.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [XE Fax LM Status] lmsxxef.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\hmngaqy.dll,TurnOn2
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-789336058-436374069-1957994488-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Gail Harris')
O4 - Global Startup: 3Com Video Launcher.lnk = C:\Program Files\3Com PC Digital WebCam Lite\videolaunch.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: XE_fx Status Monitor.lnk = C:\Program Files\XWC_90fx\X9ENGSS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 7659 bytes

#6 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 AM

Posted 27 July 2007 - 05:47 PM

* Please open hijackthis and put a check next to the following:

O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - (no file)
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\hmngaqy.dll,TurnOn2


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, post me a new log from combofix here.
Greets Jürgenv

Donation: Click me.

#7 BewilderedStranger

BewilderedStranger
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 28 July 2007 - 12:53 PM

"Monte Harris" - 2007-07-27 11:44:17 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\MONTEH~1.ROS\Desktop\internet.lnk
C:\Program Files\PopsMedia Site Adviser
C:\Program Files\PopsMedia Site Adviser\vm5_killer.exe


((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


2007-07-27 11:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 18:01 <DIR> d-------- C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Apple Computer
2007-07-15 11:48 <DIR> d-------- C:\DOCUME~1\MONTEH~1.ROS\.housecall6.6
2007-07-11 15:20 786,432 --ah----- C:\DOCUME~1\ADMINI~1.ROS\NTUSER.DAT
2007-07-11 15:17 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-11 15:17 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-11 15:17 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-11 15:17 2,566 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-11 15:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-07-11 14:27 <DIR> d-------- C:\VundoFix Backups
2007-07-11 14:15 <DIR> d-------- C:\WINDOWS\pss
2007-07-11 10:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-11 09:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-07-11 09:18 53,248 --a------ C:\WINDOWS\system32\hmngaqy.dll
2007-07-03 00:00 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-02 23:58 <DIR> d-------- C:\DOCUME~1\DONHAR~2\APPLIC~1\Apple Computer
2007-07-02 23:57 <DIR> d-------- C:\Program Files\iTunes
2007-07-02 23:57 <DIR> d-------- C:\Program Files\iPod
2007-07-02 23:55 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-02 23:54 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-02 23:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-07-02 23:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple Computer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 18:10:08 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-11 19:03:55 -------- d-----w C:\Program Files\Live_TV
2007-07-11 19:01:38 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 19:01:35 -------- d-----w C:\Program Files\Lavasoft
2007-07-03 04:56:41 -------- d-----w C:\Program Files\QuickTime
2007-07-02 22:42:57 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-01 08:09:25 -------- d-----w C:\Program Files\National Instruments
2007-06-26 19:34:23 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Thunderbird
2007-06-22 10:14:18 0 ----a-w C:\WINDOWS\nsreg.dat
2007-06-16 01:29:26 -------- d-----w C:\Program Files\GIMP-2.0
2007-06-16 01:28:35 -------- d-----w C:\Program Files\Common Files\GTK
2007-06-10 16:37:14 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\ConvertTemp
2007-06-10 16:37:13 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\TransRender
2007-06-10 16:37:13 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Temporary
2007-06-10 01:29:50 -------- d-----w C:\DOCUME~1\MONTEH~1.ROS\APPLIC~1\Samsung
2007-06-10 01:27:11 5,632 ----a-w C:\WINDOWS\system32\drivers\StarOpen.sys
2007-06-10 01:21:34 -------- d-----w C:\Program Files\Samsung
2007-06-10 01:21:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 09:07:36 -------- d-----w C:\Program Files\BitScope


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E26CEADA-67B0-4543-BE8B-307F00265118}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"XE Fax LM Status"="lmsxxef.exe" [1999-10-12 09:53 C:\WINDOWS\system32\LMSXXEF.exe]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [1998-12-10 13:57]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-10 12:33]
"dbservices"="scm -Silent 1 -Action 1 -Service mssqlserver" []
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2007-02-24 02:34]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SecurityUpdate"="C:\WINDOWS\system32\hmngaqy.dll" [2007-07-11 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
3Com Video Launcher.lnk - C:\Program Files\3Com PC Digital WebCam Lite\videolaunch.exe [2005-07-30 09:49:33]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-04-20 21:02:09]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-02-27 18:45:31]
XE_fx Status Monitor.lnk - C:\Program Files\XWC_90fx\X9ENGSS.EXE [2005-12-19 00:29:21]

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys
R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers\nipbcfk.sys
R1 nikbd;LabVIEW DSC Module Keyboard Filter;C:\WINDOWS\system32\drivers\nikbd.sys
R1 StarOpen;StarOpen;C:\WINDOWS\system32\drivers\StarOpen.sys
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 MSSQL$KBMSS;SQL Server (KBMSS);"C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sKBMSS
R2 MSSQL$MICROSOFTSMLBIZ;MSSQL$MICROSOFTSMLBIZ;"C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe"
R2 NICitadel5Service;National Instruments Citadel;C:\WINDOWS\system32\nicitdl5.exe
R2 nidevldu;NI Device Loader;C:\WINDOWS\system32\nipalsm.exe
R2 nipxirmk;nipxirmk;\??\C:\WINDOWS\system32\drivers\nipxirmkl.sys
R2 nipxirmu;NI PXI Resource Manager;C:\WINDOWS\system32\nipalsm.exe
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe"
R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys
R2 SQLBrowser;SQL Server Browser;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 VSP1284D;VSP1284D;\??\C:\WINDOWS\system32\vsp1284d.sys
R3 DCamUSBLTN;3Com PC WebCam Lite;C:\WINDOWS\system32\DRIVERS\vqcam.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 nidimk;nidimk;\??\C:\WINDOWS\system32\drivers\nidimkl.sys
R3 nimdbgk;nimdbgk;\??\C:\WINDOWS\system32\drivers\nimdbgkl.sys
R3 nimru2k;nimru2k;\??\C:\WINDOWS\system32\drivers\nimru2kl.sys
R3 nimstsk;nimstsk;\??\C:\WINDOWS\system32\drivers\nimstskl.sys
R3 nimxdfk;nimxdfk;\??\C:\WINDOWS\system32\drivers\nimxdfkl.sys
R3 niscdk;niscdk;\??\C:\WINDOWS\system32\drivers\niscdkl.sys
R3 nixsrk;nixsrk;\??\C:\WINDOWS\system32\drivers\nixsrkl.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\system32\drivers\NSDriver.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 lvalarmk;lvalarmk;\??\C:\WINDOWS\system32\drivers\lvalarmk.sys
S3 ni1006k;NI PXI-1006 Chassis Pilot;\??\C:\WINDOWS\system32\drivers\ni1006k.sys
S3 ni1045k;NI PXI-1045 Chassis Pilot;\??\C:\WINDOWS\system32\drivers\ni1045kl.sys
S3 nicdrk;nicdrk;\??\C:\WINDOWS\system32\drivers\nicdrkl.sys
S3 nidmxfk;nidmxfk;\??\C:\WINDOWS\system32\drivers\nidmxfkl.sys
S3 nidsark;nidsark;\??\C:\WINDOWS\system32\drivers\nidsarkl.sys
S3 niemrk;niemrk;\??\C:\WINDOWS\system32\drivers\niemrkl.sys
S3 niesrk;niesrk;\??\C:\WINDOWS\system32\drivers\niesrkl.sys
S3 nifslk;nifslk;\??\C:\WINDOWS\system32\drivers\nifslkl.sys
S3 nimsdrk;nimsdrk;\??\C:\WINDOWS\system32\drivers\nimsdrkl.sys
S3 nimslk;nimslk;\??\C:\WINDOWS\system32\drivers\nimslk.dll
S3 nimsrlk;nimsrlk;\??\C:\WINDOWS\system32\drivers\nimsrlk.dll
S3 nimxpk;nimxpk;\??\C:\WINDOWS\system32\drivers\nimxpkl.sys
S3 ninshsdk;ninshsdk;\??\C:\WINDOWS\system32\drivers\ninshsdkl.sys
S3 niorbk;niorbk;\??\C:\WINDOWS\system32\drivers\niorbkl.sys
S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers\nipalfwedl.sys
S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers\nipalusbedl.sys
S3 nipxigpk;NI PXI Generic Chassis Pilot;\??\C:\WINDOWS\system32\drivers\nipxigpk.sys
S3 nisdigk;nisdigk;\??\C:\WINDOWS\system32\drivers\nisdigkl.sys
S3 nisftk;nisftk;\??\C:\WINDOWS\system32\drivers\nisftkl.sys
S3 nismbusk;nismbusk;\??\C:\WINDOWS\system32\drivers\nismbusk.sys
S3 nispdk;nispdk;\??\C:\WINDOWS\system32\drivers\nispdkl.sys
S3 nissrk;nissrk;\??\C:\WINDOWS\system32\drivers\nissrkl.sys
S3 nistc2k;nistc2k;\??\C:\WINDOWS\system32\drivers\nistc2kl.sys
S3 nistcrk;nistcrk;\??\C:\WINDOWS\system32\drivers\nistcrkl.sys
S3 niswdk;niswdk;\??\C:\WINDOWS\system32\drivers\niswdkl.sys
S3 nitiork;nitiork;\??\C:\WINDOWS\system32\drivers\nitiorkl.sys
S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys
S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys
S3 niwfrk;niwfrk;\??\C:\WINDOWS\system32\drivers\niwfrkl.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys
S3 SQLAgent$MICROSOFTSMLBIZ;SQLAgent$MICROSOFTSMLBIZ;"C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 usb6xxxk;usb6xxxk;\??\C:\WINDOWS\system32\drivers\usb6xxxk.sys

*Newly Created Service* - HTTPFILTER
*Newly Created Service* - NIPALK

Contents of the 'Scheduled Tasks' folder
2007-07-24 23:49:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-27 07:14:47 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 11:51:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000bd

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-27 11:53:38
C:\ComboFix-quarantined-files.txt ... 2007-07-27 11:52

--- E O F ---

#8 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 AM

Posted 28 July 2007 - 12:56 PM

* Please remove these entries from Add/Remove Programs in the Control Panel(if present):
To do this, click 'Start' then 'Control Panel', then double-click on Add/Remove Programs.
PopsMedia Site Adviser

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:


C:\WINDOWS\system32\hmngaqy.dll


Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply with a new hijackthis log and tell me how everything is working..
Greets Jürgenv

Donation: Click me.

#9 BewilderedStranger

BewilderedStranger
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 28 July 2007 - 01:44 PM

Okay sp That didn't work out weel I don't think Popsmedia wasn't under the add/remove programs so {I went to the next step and copied what you told me to into the left pane and clicked move and the right pane said move failed and then it rebooted. On reboot it said it failed to load that filepath (the dll file). I don't know what it means but it kinda acts like I done somethin' bad. Again I appreciate this a lot I've been fighting this stupid thing for a while now. I'll be AFK until tomorrow though so i'll get on asap tomorrow.

#10 BewilderedStranger

BewilderedStranger
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 30 July 2007 - 11:39 AM

I'm back so What should I do can you copy that dll file or have I done something bad or what?

#11 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 AM

Posted 30 July 2007 - 02:24 PM

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\hmngaqy.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Greets Jürgenv

Donation: Click me.

#12 BewilderedStranger

BewilderedStranger
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 30 July 2007 - 05:31 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\psuvxary

*******************

Script file located at: \??\C:\WINDOWS\system32\dkvsihlv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\hmngaqy.dll not found!
Deletion of file C:\WINDOWS\system32\hmngaqy.dll failed!

Could not process line:
C:\WINDOWS\system32\hmngaqy.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:36 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lmsxxef.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\lkads.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [XE Fax LM Status] lmsxxef.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\hmngaqy.dll,TurnOn2
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 3Com Video Launcher.lnk = C:\Program Files\3Com PC Digital WebCam Lite\videolaunch.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: XE_fx Status Monitor.lnk = C:\Program Files\XWC_90fx\X9ENGSS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 7377 bytes

#13 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 AM

Posted 30 July 2007 - 05:46 PM

* Please open hijackthis and put a check next to the following:

O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\hmngaqy.dll,TurnOn2

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, tell me how everything is working.
Greets Jürgenv

Donation: Click me.

#14 BewilderedStranger

BewilderedStranger
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 31 July 2007 - 12:06 PM

Oh man my computer is working a hundred times better I really appreciate all your help.

#15 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 AM

Posted 31 July 2007 - 12:28 PM

You're welcome.



Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at Bleepingcomputer are to help you, for your sake we would rather not have repeat customers. :thumbsup:

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :D
Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users