Thread: Hijackthis Help. Trojans, and Popups
View Single Post
Old 12-08-2008, 03:35 PM   #4 (permalink)
nicoantique
Registered User
 
Join Date: Dec 2008
Posts: 5
OS: xp


SUBS=All that and a Bran Muffin...
My laptop is rockin thanks to you! You Rock! Everything is 10 times faster, processing,browsing,applications. No more popup windows and 3 internet explorers running in the background all the time. I doesn't seem hijacked anymore!
One small note though...I had to manually shut it down after running thr first Combofix...everything just stopped for 20 minutes when the message, "windows will reboot,please wait". I figured something froze, which it did. I shut it down manually and redropped the copypaste notepad into combofix. Ran it again and it restarted windows and produced a log no problem. Thanks again. Let me know if there is anything else I should do besides staying off Limewire:)

Here's the logs:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 18:11:41
Records in database: 1444306
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 55719
Threat name: 2
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:05:08


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\2.crack.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\3.video.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\4.setup.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\5.unpack.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\6.limepro.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\7.keygen.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_devmgr32_.dll.zip Infected: Trojan-Downloader.Win32.Agent.arsg 2
C:\Qoobox\Quarantine\[4]-Submit_2008-12-08@14.47.zip Infected: Trojan-Downloader.Win32.Agent.arsg 1

The selected area was scanned.



Combofix


ComboFix 08-12-07.01 - stephenj young 2008-12-08 15:27:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1454 [GMT -5:00]
Running from: c:\documents and settings\stephenj young\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\stephenj young\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\10.tmp
c:\windows\system32\2.tmp
c:\windows\system32\28.tmp
c:\windows\system32\53.tmp
c:\windows\system32\GroupPolicy000.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\devmgr32.dll
.
---- Previous Run -------
.
c:\windows\system32\10.tmp
c:\windows\system32\2.tmp
c:\windows\system32\28.tmp
c:\windows\system32\53.tmp
c:\windows\system32\devmgr32.dll
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\GroupPolicyManifest\1.music.mp3
c:\windows\system32\GroupPolicyManifest\1.music.mp3.kwd
c:\windows\system32\GroupPolicyManifest\2.crack.zip
c:\windows\system32\GroupPolicyManifest\2.crack.zip.kwd
c:\windows\system32\GroupPolicyManifest\3.video.zip
c:\windows\system32\GroupPolicyManifest\3.video.zip.kwd
c:\windows\system32\GroupPolicyManifest\4.setup.zip
c:\windows\system32\GroupPolicyManifest\4.setup.zip.kwd
c:\windows\system32\GroupPolicyManifest\5.unpack.zip
c:\windows\system32\GroupPolicyManifest\5.unpack.zip.kwd
c:\windows\system32\GroupPolicyManifest\6.limepro.zip
c:\windows\system32\GroupPolicyManifest\6.limepro.zip.kwd
c:\windows\system32\GroupPolicyManifest\7.keygen.zip
c:\windows\system32\GroupPolicyManifest\7.keygen.zip.kwd
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg.kwd
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 12:37 . 2008-12-08 08:37 373,760 --ahs---- c:\windows\system32\33.tmp
2008-12-07 12:37 . 2008-12-07 12:37 0 --a------ c:\windows\system32\32.tmp
2008-12-06 13:32 . 2008-12-06 13:32 373,760 --ahs---- c:\windows\system32\26.tmp
2008-12-05 10:30 . 2008-12-05 17:32 373,760 --ahs---- c:\windows\system32\1B.tmp
2008-12-05 09:34 . 2008-12-05 09:34 0 --a------ c:\windows\system32\11.tmp
2008-12-04 16:16 . 2008-12-04 16:16 <DIR> d--h----- c:\windows\PIF
2008-12-04 16:03 . 2008-12-04 16:04 250 --a------ c:\windows\gmer.ini
2008-12-04 15:28 . 2008-12-04 15:28 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 11:52 . 2008-12-02 11:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 11:52 . 2008-12-02 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 16:08 . 2008-12-08 02:07 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-01 16:08 . 2008-12-01 16:08 <DIR> d-------- c:\documents and settings\stephenj young\Application Data\PC Tools
2008-12-01 16:08 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-01 16:08 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-01 16:08 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-01 16:08 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-30 23:27 . 2008-11-30 23:27 4,516 --a------ c:\windows\GnuHashes.ini
2008-11-12 09:09 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 09:09 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 13:21 . 2008-11-11 13:21 <DIR> d-------- c:\program files\DIFX
2008-11-11 13:21 . 2008-11-11 13:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 20:24 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-08 20:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-08 19:51 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-02 21:33 --------- d-----w c:\program files\Digital Line Detect
2008-12-02 04:57 --------- d-----w c:\documents and settings\stephenj young\Application Data\LimeWire
2008-12-01 21:34 --------- d-----w c:\program files\TomTom HOME 2
2008-11-17 20:29 --------- d-----w c:\program files\LogMeIn
2008-10-24 11:21 455,296 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 05:34 --------- d-----w c:\program files\Netflix
2008-10-21 15:10 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-09-12 21:46 61,224 ----a-w c:\documents and settings\stephenj young\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-23 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-23 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-23 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-08-21 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-21 771704]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SigmatelSysTrayApp"="stsystra.exe" [2007-09-16 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-21 10:10 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dvd43"=c:\program files\dvd43\dvd43_tray.exe
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\WINDOWS\\system32\\lxdfcoms.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\LXDFFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\DRIVERS\datunidr.sys [2007-08-23 5376]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-11 47640]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-07 99376]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2008-03-19 99248]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-01 356920]
S4 LMIRfsClientNP;LMIRfsClientNP; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7c54497-f5e0-11dc-aeae-001ec900b904}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - stephenj young.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-21 01:02]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-EstimateReview - (no file)
Notify-28663152509 - c:\windows\System32\devmgr32.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 15:30:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\lxdfcoms.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-08 15:33:45 - machine was rebooted [stephenj young]
ComboFix-quarantined-files.txt 2008-12-08 20:33:34

Pre-Run: 87,493,062,656 bytes free
Post-Run: 87,397,781,504 bytes free

217 --- E O F --- 2008-11-22 10:45:34

Onlinescan
nicoantique is offline