|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
05-04-2008, 06:33 PM
|
#1 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 5
OS: xp SP2
|
[SOLVED] Constant Popups
Hello,
My machine is infected with spyware that could not be removed by Spybot. I have Xp SP2 and I have run DSS and main text is as follows: Deckard's System Scanner v20071014.68 Run by Cav.Bal on 2008-05-04 23:40:17 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 2 Restore Point(s) -- 2: 2008-05-04 22:42:10 UTC - RP2 - Deckard's System Scanner Restore Point 1: 2008-05-04 18:42:23 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 503 MiB (512 MiB recommended). System Drive C: has 2.69 GiB (less than 15%) free. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-05-05 00:29:46 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.5730.13) Boot mode: Normal Running processes: C:\WINNT\system32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE C:\Program Files\ManageSoft\Launcher\mgsdl.exe C:\Program Files\ManageSoft\Launcher\ndserv.exe C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe C:\Program Files\OfficeScan NT\ntrtscan.exe C:\Program Files\openft\bin\secserv.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe C:\WINNT\system32\svchost.exe C:\Program Files\OfficeScan NT\tmlisten.exe C:\Program Files\openft\bin\neactrls.exe C:\WINNT\Temp\TTD8C1.EXE C:\WINNT\explorer.exe C:\WINNT\system32\proquota.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\OfficeScan NT\PccNTMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\OfficeScan NT\PccNTUpd.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe C:\WINNT\system32\ocntqkdn.exe C:\WINNT\system32\ctfmon.exe C:\Documents and Settings\cav.bal\Desktop\dss(2).exe C:\WINNT\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINNT\system32\rundll32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=localhost:1;socks=proxy1.sbs.sie.co.uk:1080 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com R1 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=mddmproxy.gb001.sie.net:80 R3 - URLSearchHook: (no name) - {B85A7A3C-BEDA-E62A-F1FB-E93B8602749A} - C:\WINNT\system32\wkz.dll (file missing) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe O2 - BHO: (no name) - {1DA38E5B-2AD2-4DD4-A8F5-420FB7D8B162} - (no file) O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINNT\system32\efcCuVon.dll O2 - BHO: (no name) - {2DA9D4B8-707E-47D7-925B-FA2D81FDDB47} - (no file) O2 - BHO: (no name) - {387A5B21-F2FE-456A-AC47-CB1956E2A1F2} - (no file) O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINNT\system32\adaopcao.dll O2 - BHO: (no name) - {51CA89EC-A5A2-4735-9C96-E7BED97E645F} - C:\WINNT\system32\hgGvtULC.dll O2 - BHO: (no name) - {6376940F-FEA2-493A-8DD6-5CD70214CAEA} - (no file) O2 - BHO: {115d40f9-ae98-1ce8-dcd4-88a8f41a6839} - {9386a14f-8a88-4dcd-8ec1-89ea9f04d511} - C:\WINNT\system32\mycobvju.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe O4 - HKLM\..\Run: [JavaProfileFix3] "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe" O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [{F8-87-7D-D6-DW}] C:\winnt\system32\jpwnw64m.exe DWram O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662EA4EBF968951185EFC41280C9D7DBE80DC744B6CDE3D5170E744AB97 O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINNT\system32\ocntqkdn.exe DWram O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\winreanimator.exe" /hide O4 - HKLM\..\Run: [f00f8779] rundll32.exe "C:\WINNT\system32\ygjoamtd.dll",b O4 - HKLM\..\Run: [BMf33cb4e5] Rundll32.exe "C:\WINNT\system32\cumuapux.dll",s O4 - HKLM\..\Run: [braviax] braviax.exe O4 - HKLM\..\RunOnceEx: [900] Starting Masterimage Preparation O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - Startup: Deewoo.lnk = C:\WINNT\system32\ocntqkdn.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.microsoft.com (HKCU) O15 - Trusted Zone: *.sap-ag.de (HKCU) O15 - Trusted Zone: *.sap.com (HKCU) O15 - Trusted Zone: *.sap.com (HKCU) O15 - Trusted IP Range: http://132.186.127.126 (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} () - http://www1.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038 O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - AppInit_DLLs: cru629.dat O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll O20 - Winlogon Notify: efcCuVon - C:\WINNT\system32\efcCuVon.dll O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\system32\DWRCS.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe O23 - Service: openFT Server (openFT FTNEA) - Fujitsu Siemens Computers GmbH - C:\Program Files\openft\bin\neactrls.exe O23 - Service: openFT Security Server - Fujitsu Siemens Computers GmbH - C:\Program Files\openft\bin\secserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe -- End of file - 14203 bytes -- File Associations ----------------------------------------------------------- .js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2 .js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1" .vbs - VBSFile - shell\open\command - unable to read value .vbs - VBSFile - shell\edit\command - unable to read value -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 Achernar (Achernar - SCSI Command Filters) - c:\winnt\system32\drivers\achernar.sys <Not Verified; An Chen Computer Co., Ltd.; Achernar> R1 AFS2K - c:\winnt\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS> R2 Stltrk2k - c:\winnt\system32\drivers\stltrk2k.sys <Not Verified; SCM Microsystems Inc.; Support Driver for WINNT Based Applications> R3 Aldebaran (Aldebaran - SCSI Command Filters) - c:\winnt\system32\drivers\aldebaran.sys <Not Verified; An Chen Computer Co., Ltd.; Aldebaran> S3 O2SCBUS (O2Micro SmartCardBus Reader) - c:\winnt\system32\drivers\ozscr.sys <Not Verified; O2Micro; O2Micro (c) SmartCardBus Reader> S3 U81xbus (LGE U8XXX driver (WDM)) - c:\winnt\system32\drivers\u81xbus.sys <Not Verified; MCCI; LG Electronics U8110> S3 U81xmdfl (LGE U8XXX USB WMC Modem Filter) - c:\winnt\system32\drivers\u81xmdfl.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem Filter Driver> S3 U81xmdm (LGE U8XXX USB WMC Modem Driver) - c:\winnt\system32\drivers\u81xmdm.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem> S3 U81xmgmt (LGE U8XXX USB WMC Device Management Drivers (WDM)) - c:\winnt\system32\drivers\u81xmgmt.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Device Management> S3 U81xobex (LGE U8XXX USB WMC OBEX Interface) - c:\winnt\system32\drivers\u81xobex.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC OBEX Interface> S3 w800bus (Sony Ericsson W800 driver (WDM)) - c:\winnt\system32\drivers\w800bus.sys <Not Verified; MCCI; Sony Ericsson W800> S3 w800mdfl (Sony Ericsson W800 USB WMC Modem Filter) - c:\winnt\system32\drivers\w800mdfl.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem Filter Driver> S3 w800mdm (Sony Ericsson W800 USB WMC Modem Drivers) - c:\winnt\system32\drivers\w800mdm.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem> S3 w800mgmt (Sony Ericsson W800 USB WMC Device Management Drivers) - c:\winnt\system32\drivers\w800mgmt.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Device Management> S3 w800obex (Sony Ericsson W800 USB WMC OBEX Interface Drivers) - c:\winnt\system32\drivers\w800obex.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC OBEX Interface> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 mgsdl (ManageSoft Peer-to-Peer Download Service) - "c:\program files\managesoft\launcher\mgsdl.exe" <Not Verified; ManageSoft Corp; ManageSoft> R2 ndGlobalLauncher (ManageSoft installation agent) - "c:\program files\managesoft\launcher\ndserv.exe" <Not Verified; ManageSoft Corp; ManageSoft> R2 ndinit (ManageSoft managed device) - "c:\program files\managesoft\schedule agent\ndinit.exe" <Not Verified; ManageSoft Corp; ManageSoft managed device> R2 ntrtscan (OfficeScanNT RealTime Scan) - "c:\program files\officescan nt\ntrtscan.exe" <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan> R2 openFT FTNEA (openFT Server) - "c:\program files\openft\bin\neactrls.exe" <Not Verified; Fujitsu Siemens Computers GmbH; openFT> R2 openFT Security Server - "c:\program files\openft\bin\secserv.exe" <Not Verified; Fujitsu Siemens Computers GmbH; openFT> R2 tmlisten (OfficeScanNT Listener) - "c:\program files\officescan nt\tmlisten.exe" <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan> S3 DWMRCS (DameWare Mini Remote Control) - -%systemroot%\system32\dwrcs.exe -service <Not Verified; DameWare Development LLC; DameWare Development DWRCS> S4 OfcPfwSvc (OfficeScanNT Personal Firewall) - c:\program files\officescan nt\ofcpfwsvc.exe <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Files created between 2008-04-05 and 2008-05-05 ----------------------------- 2008-05-04 23:38:03 108096 --a------ C:\WINNT\system32\mycobvju.dll 2008-05-04 10:18:58 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-04 10:17:50 0 d-------- C:\Program Files\SpywareBlaster 2008-05-04 10:08:04 95296 --a------ C:\WINNT\system32\qupbotpi.dll 2008-05-04 10:07:47 108096 --a------ C:\WINNT\system32\wktriurh.dll 2008-05-04 10:07:32 53312 --a------ C:\WINNT\system32\adaopcao.dll 2008-05-04 10:07:20 104512 --a------ C:\WINNT\system32\vxeqhfpf.dll 2008-05-04 02:59:33 375451 --ahs---- C:\WINNT\system32\CLUtvGgh.ini2 2008-05-04 02:29:01 0 d-------- C:\Documents and Settings\cav.bal\Application Data\Talkback 2008-05-04 02:18:08 0 d-------- C:\Program Files\Panda Security 2008-05-04 02:18:03 1883 --a------ C:\WINNT\mozver.dat 2008-05-04 01:52:02 104512 --a------ C:\WINNT\system32\nvsqwjlp.dll 2008-05-04 01:51:55 53312 --a------ C:\WINNT\system32\qifliqrh.dll 2008-05-04 01:49:49 103488 --a------ C:\WINNT\system32\bdacbbwg.dll 2008-05-04 01:38:24 104512 --a------ C:\WINNT\system32\mhmdhpnn.dll 2008-05-04 01:35:24 96320 --a------ C:\WINNT\system32\oeywrplb.dll 2008-05-04 01:32:27 53312 --a------ C:\WINNT\system32\phpiytma.dll 2008-05-04 01:30:09 103488 --a------ C:\WINNT\system32\nunwnsop.dll 2008-05-04 01:29:19 281600 -----n--- C:\WINNT\system32\ssqOIXPg.dll 2008-05-04 01:19:35 104512 --a------ C:\WINNT\system32\mjumfhro.dll 2008-05-04 01:19:25 103488 --a------ C:\WINNT\system32\faugmjwq.dll 2008-05-04 01:16:51 53312 --a------ C:\WINNT\system32\ljkqnbbl.dll 2008-05-03 01:20:02 105536 --a------ C:\WINNT\system32\vvqtocwx.dll 2008-05-03 01:18:31 96320 --a------ C:\WINNT\system32\bhvpjeuu.dll 2008-05-03 01:17:49 105536 --a------ C:\WINNT\system32\mtacnoqa.dll 2008-05-03 01:17:38 53312 --a------ C:\WINNT\system32\bhkxnvxx.dll 2008-05-03 01:13:52 280576 -----n--- C:\WINNT\system32\hgGvtULC.dll 2008-05-01 23:29:29 96320 --a------ C:\WINNT\system32\gfjjovaf.dll 2008-05-01 23:27:15 107072 --a------ C:\WINNT\system32\hnlffuit.dll 2008-05-01 23:26:58 107072 --a------ C:\WINNT\system32\slwildsx.dll 2008-05-01 23:24:34 53312 --a------ C:\WINNT\system32\adqaykde.dll 2008-05-01 23:22:19 53312 --a------ C:\WINNT\system32\cyxjqgiy.dll 2008-04-30 00:00:30 97856 --a------ C:\WINNT\system32\qdrgjmeb.dll 2008-04-29 23:58:01 107072 --a------ C:\WINNT\system32\unrnyhhh.dll 2008-04-29 23:54:56 53312 --a------ C:\WINNT\system32\riiyorij.dll 2008-04-29 23:53:02 104512 --a------ C:\WINNT\system32\dwqnqvxx.dll 2008-04-26 22:58:00 24576 --a------ C:\WINNT\system32\ppc101.exe 2008-04-26 22:03:42 107072 --a------ C:\WINNT\system32\seflqkkv.dll 2008-04-26 22:01:53 53312 --a------ C:\WINNT\system32\bgksvhye.dll 2008-04-26 22:01:44 106048 --a------ C:\WINNT\system32\cumuapux.dll 2008-04-26 21:58:53 0 dr-h----- C:\Documents and Settings\cav.bal\Recent 2008-04-26 21:46:21 107072 --a------ C:\WINNT\system32\qkocanrl.dll 2008-04-26 21:41:59 53312 --a------ C:\WINNT\system32\tskwklfn.dll 2008-04-16 21:28:18 38400 -ra------ C:\WINNT\mrofinu.exe 2008-04-11 23:33:26 38400 -ra------ C:\WINNT\mrofinu1000106.exe -- Find3M Report --------------------------------------------------------------- 2008-05-04 23:48:36 0 d-------- C:\Program Files\OfficeScan NT 2008-05-04 23:35:43 6656 --a------ C:\WINNT\system32\univrs32.dat 2008-05-04 23:29:00 6144 --a------ C:\WINNT\system32\cru629.dat 2008-05-04 23:29:00 17920 --a------ C:\WINNT\system32\braviax.exe 2008-05-04 23:29:00 6144 --a------ C:\WINNT\cru629.dat 2008-05-04 23:29:00 17920 --a------ C:\WINNT\braviax.exe 2008-05-03 01:13:35 937 --a------ C:\WINNT\system32\winpfz33.sys 2008-03-04 20:32:27 105984 --a------ C:\WINNT\b152.exe 2008-03-02 15:26:43 73728 --a------ C:\WINNT\b153.exe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA38E5B-2AD2-4DD4-A8F5-420FB7D8B162}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}] 10/04/2007 23:18 36864 --a------ C:\WINNT\system32\efcCuVon.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA9D4B8-707E-47D7-925B-FA2D81FDDB47}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{387A5B21-F2FE-456A-AC47-CB1956E2A1F2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}] 04/05/2008 10:07 53312 --a------ C:\WINNT\system32\adaopcao.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51CA89EC-A5A2-4735-9C96-E7BED97E645F}] 03/05/2008 01:13 280576 --------- C:\WINNT\system32\hgGvtULC.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6376940F-FEA2-493A-8DD6-5CD70214CAEA}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9386a14f-8a88-4dcd-8ec1-89ea9f04d511}] 04/05/2008 23:38 108096 --a------ C:\WINNT\system32\mycobvju.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [24/01/2003 09:05] "RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\\FaxCtrl.exe" [17/07/2003 11:44] "Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [04/08/2004 01:56] "NeroCheck"="C:\Program Files\Ahead\\Nero\NeroCheck.exe" [09/07/2001 12:50] "OfficeScanNT Monitor"="C:\Program Files\OfficeScan NT\pccntmon.exe" [08/01/2007 20:20] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/09/2004 12:58] "Java Profiles Fix"="C:\Program Files\Java\Profile Fix\Java_Profile.exe" [30/04/2003 12:40] "JavaProfileFix2"="C:\Program Files\Java\Profile Fix\Java_Profile_2.exe" [04/03/2004 12:33] "Discovery User Input"="c:\Discovery\User Input\userin32.exe" [10/11/2005 13:58] "JavaProfileFix3"="C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe" [06/12/2005 12:52] "@"="" [] "Migrator"="C:\Program Files\CryptoEx\Migrator\Migrator.exe" [26/10/2004 16:16] "CryptoExTrayV3"="C:\Program Files\CryptoEx\Common\CexTray.exe" [01/03/2005 17:55] "SchedulingAgent_nDG"="C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" [27/07/2006 16:59] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [14/10/2003 11:22] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [17/03/2005 15:25] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [17/03/2005 15:45] "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [28/03/2006 16:48] "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [26/01/2005 19:02] "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [10/04/2006 15:58] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [09/01/2008 08:27] "{F8-87-7D-D6-DW}"="C:\winnt\system32\jpwnw64m.exe" [] "runner1"="C:\WINNT\mrofinu572.exe" [] "g]eeV\mWhjlnspB"="C:\WINNT\system32\ocntqkdn.exe" [10/04/2007 23:20] "WinReanimator"="C:\Program Files\WinReanimator\winreanimator.exe" [29/02/2008 23:45] "f00f8779"="C:\WINNT\system32\ygjoamtd.dll" [] "BMf33cb4e5"="C:\WINNT\system32\cumuapux.dll" [26/04/2008 22:01] "braviax"="braviax.exe" [04/05/2008 23:29 C:\WINNT\system32\braviax.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [27/03/2007 15:22] "CatUserRun"="exec32 /wh /c chgreg5 /c" [] "ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [04/08/2004 01:56] "JavaCore"="C:\Program Files\\JavaCore\\JavaCore.exe" [12/04/2007 00:24] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43] C:\Documents and Settings\cav.bal\Start Menu\Programs\Startup\ Deewoo.lnk - C:\WINNT\system32\ocntqkdn.exe [10/04/2007 23:20:38] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "MaxGPOScriptWait"=1800 (0x708) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "ConnectHomeDirToRoot"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "EnableProfileQuota"=1 (0x1) "ProfileQuotaMessage"=You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage. "MaxProfileSize"=10240 (0x2800) "WarnUserTimeout"=15 (0xf) "DisableTaskMgr"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoPublishingWizard"=1 (0x1) "NoWebServices"=1 (0x1) "NoOnlinePrintsWizard"=1 (0x1) "NoWelcomeScreen"=1 (0x1) "NoMSAppLogo5ChannelNotify"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"=0 (0x0) "Btn_Forward"=0 (0x0) "Btn_Stop"=0 (0x0) "Btn_Refresh"=0 (0x0) "Btn_Home"=0 (0x0) "Btn_Search"=0 (0x0) "Btn_History"=0 (0x0) "Btn_Favorites"=0 (0x0) "Btn_Media"=0 (0x0) "Btn_Folders"=0 (0x0) "Btn_Fullscreen"=0 (0x0) "Btn_Tools"=0 (0x0) "Btn_MailNews"=0 (0x0) "Btn_Size"=0 (0x0) "Btn_Print"=0 (0x0) "Btn_Edit"=0 (0x0) "Btn_Discussions"=0 (0x0) "Btn_Cut"=0 (0x0) "Btn_Copy"=0 (0x0) "Btn_Paste"=0 (0x0) "Btn_Encoding"=0 (0x0) "Btn_PrintPreview"=0 (0x0) "NoActiveDesktop"=1 (0x1) "NoActiveDesktopChanges"=1 (0x1) "NoDesktop"=0 (0x0) "NoFavoritesMenu"=0 (0x0) "NoFind"=0 (0x0) "NoRun"=0 (0x0) "NoSetActiveDesktop"=0 (0x0) "NoChangeStartMenu"=0 (0x0) "NoFolderOptions"=0 (0x0) "NoRecentDocsMenu"=0 (0x0) "NoRecentDocsHistory"=0 (0x0) "ClearRecentDocsOnExit"=0 (0x0) "NoLogoff"=0 (0x0) "NoClose"=0 (0x0) "NoSetFolders"=0 (0x0) "NoSetTaskbar"=0 (0x0) "NoTrayContextMenu"=0 (0x0) "NoFileMenu"=0 (0x0) "NoViewContextMenu"=0 (0x0) "NoNetConnectDisconnect"=0 (0x0) "NoDeletePrinter"=0 (0x0) "NoAddPrinter"=0 (0x0) "NoPrinterTabs"=0 (0x0) "PromptRunasInstallNetPath"=1 (0x1) "MemCheckBoxInRunDlg"=1 (0x1) "DisallowCpl"=1 (0x1) "LinkResolveIgnoreLinkInfo"=1 (0x1) "NoThumbnailCache"=1 (0x1) "NoWindowsUpdate"=1 (0x1) "ForceStartMenuLogOff"=1 (0x1) "NoResolveSearch"=1 (0x1) "NoResolveTrack"=1 (0x1) "GreyMSIAds"=1 (0x1) "NoInternetIcon"=1 (0x1) "NoRecentDocsNetHood"=1 (0x1) "DisablePersonalDirChange"=1 (0x1) "NoDesktopCleanupWizard"=1 (0x1) "NoWelcomeScreen"=1 (0x1) "NoAutoUpdate"=1 (0x1) "StartRunNoHOMEPATH"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl] "1"=wuaucpl.cpl [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"=0 (0x0) "Btn_Forward"=0 (0x0) "Btn_Stop"=0 (0x0) "Btn_Refresh"=0 (0x0) "Btn_Home"=0 (0x0) "Btn_Search"=0 (0x0) "Btn_History"=0 (0x0) "Btn_Favorites"=0 (0x0) "Btn_Media"=0 (0x0) "Btn_Folders"=0 (0x0) "Btn_Fullscreen"=0 (0x0) "Btn_Tools"=0 (0x0) "Btn_MailNews"=0 (0x0) "Btn_Size"=0 (0x0) "Btn_Print"=0 (0x0) "Btn_Edit"=0 (0x0) "Btn_Discussions"=0 (0x0) "Btn_Cut"=0 (0x0) "Btn_Copy"=0 (0x0) "Btn_Paste"=0 (0x0) "Btn_Encoding"=0 (0x0) "Btn_PrintPreview"=0 (0x0) "NoActiveDesktop"=1 (0x1) "NoActiveDesktopChanges"=0 (0x0) "NoInternetIcon"=0 (0x0) "NoDesktop"=0 (0x0) "NoFavoritesMenu"=0 (0x0) "NoFind"=0 (0x0) "NoRun"=0 (0x0) "NoSetActiveDesktop"=0 (0x0) "NoWindowsUpdate"=0 (0x0) "NoChangeStartMenu"=0 (0x0) "NoFolderOptions"=0 (0x0) "NoRecentDocsMenu"=0 (0x0) "NoRecentDocsHistory"=0 (0x0) "ClearRecentDocsOnExit"=0 (0x0) "NoLogoff"=0 (0x0) "NoClose"=0 (0x0) "NoSetFolders"=0 (0x0) "NoSetTaskbar"=0 (0x0) "NoTrayContextMenu"=0 (0x0) "NoFileMenu"=0 (0x0) "NoViewContextMenu"=0 (0x0) "EnforceShellExtensionSecurity"=0 (0x0) "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoNetConnectDisconnect"=0 (0x0) "NoDeletePrinter"=0 (0x0) "NoAddPrinter"=0 (0x0) "NoPrinterTabs"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINNT\system32\efcCuVon.dll [10/04/2007 23:18 36864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CexTrayWinLogon] C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll 26/01/2005 13:25 57344 C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcCuVon] efcCuVon.dll 10/04/2007 23:18 36864 C:\WINNT\system32\efcCuVon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=cru629.dat [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINNT\system32\hgGvtULC [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0] "Script"=CBEShutdown.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\1\0] "Script"=bnls299acmdline.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=catstart.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0] "Script"=\\GB001.sie.net\sysvol\GB001.sie.net\scripts\CatPC\CAT Basic Environment\Setup\Setup.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0] "Script"=DeployCentennialAgent.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0] "Script"=bnls299acmdline.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-1152\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-31563\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-34625\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-450047656-3918250416-1063027673-500\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1 *Newly Created Service* - MACROMEDIA_LICENSING_SERVICE -- End of Deckard's System Scanner: finished at 2008-05-05 00:34:26 ------------ Regards, jmash |
|
     
|
|
05-05-2008, 04:08 PM
|
#2 (permalink) |
|
Analyst, Security Team
|
Re: Constant Popups
Welcome to TSF.
Run Deckard's System Scanner again, using the below instructions. Go to Start->Run and copy/paste the following and click OK: "%userprofile%\desktop\dss.exe" /daft Click on Scan. Check the boxes which should appear for these entries: .vbs .js Then click on Fix. Click Scan again. You should get a message All Associations OK! Click Next, then Save Log and post this log in your next reply. Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1 Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All Click the Empty Selected button. If you use the Firefox browser click Firefox at the top and choose Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use the Opera browser click 'Opera' at the top and choose 'Select All' Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebyt...are_d5756.html Double-click on mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform Full Scan, then click Scan. * The scan may take some time to finish, so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below). * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy & paste the entire report into your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Go to http://www.bleepingcomputer.com/comb...o-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here. Run a new HijackThis scan and post that log here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
05-06-2008, 05:26 PM
|
#3 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 5
OS: xp SP2
|
Re: Constant Popups
I have followed your steps closely and am pasting the files in order below. ****************** daft.txt: ****************** DAFT Log saved on 2008-05-06 19:55:34 ----------------------------------------------------------------------- All associations okay! ****************** mbam log ****************** Malwarebytes' Anti-Malware 1.12 Database version: 726 Scan type: Full Scan (C:\|) Objects scanned: 165519 Time elapsed: 4 hour(s), 24 minute(s), 57 second(s) Memory Processes Infected: 1 Memory Modules Infected: 4 Registry Keys Infected: 34 Registry Values Infected: 7 Registry Data Items Infected: 2 Folders Infected: 5 Files Infected: 70 Memory Processes Infected: c:\program files\JavaCore\JavaCore.exe (Trojan.Insider) -> Unloaded process successfully. Memory Modules Infected: C:\WINNT\system32\tpjuwdqv.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINNT\system32\unbnwmog.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINNT\system32\xxywXQGw.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINNT\system32\efcCuVon.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68810da4-1a9e-45be-bf89-c937cc27f26e} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{68810da4-1a9e-45be-bf89-c937cc27f26e} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{24e9519b-3f70-429b-99bc-4b2b49b96f66} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24e9519b-3f70-429b-99bc-4b2b49b96f66} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efccuvon (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\vacpro.internazionale_ver10 (Dialer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{dd469a88-316c-441d-b712-783d9b9a6707} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{d28cd14c-50be-4cfa-951e-b37f25da3472} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d7391412-ca67-4b78-aa59-e09e193a1986} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9bcf2027-c4b0-4ada-bbd2-e6b642e5265a} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{cc15b3c3-112b-465f-9880-88eedc82230f} (Trojan.vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f00f8779 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaCore (Trojan.Insider) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g]eeV\mWhjlnspB (Adware.ZeroSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{24e9519b-3f70-429b-99bc-4b2b49b96f66} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMf33cb4e5 (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\xxywxqgw -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\xxywxqgw -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully. C:\Program Files\JavaCore (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully. Files Infected: c:\program files\JavaCore\JavaCore.exe (Trojan.Insider) -> Quarantined and deleted successfully. C:\WINNT\system32\bhvpjeuu.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\uuejpvhb.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\gfjjovaf.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\favojjfg.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\oeywrplb.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\blprwyeo.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\qdrgjmeb.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\bemjgrdq.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\qupbotpi.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\iptobpuq.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\tpjuwdqv.dll (Trojan.Vundo) -> Delete on reboot. C:\WINNT\system32\vqdwujpt.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\unbnwmog.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\gomwnbnu.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\xxywXQGw.dll (Trojan.Vundo) -> Delete on reboot. C:\WINNT\system32\wGQXwyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\wGQXwyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\ocntqkdn.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully. C:\WINNT\system32\efcCuVon.dll (Trojan.Vundo) -> Delete on reboot. C:\WINNT\system32\pgmjhwmj.dll (Trojan.Vundo) -> Delete on reboot. C:\Documents and Settings\cav.bal\Local Settings\Temporary Internet Files\Content.IE5\IPIYQOEZ\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\cav.bal\Local Settings\Temporary Internet Files\Content.IE5\IPIYQOEZ\Installer2[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\cav.bal\Local Settings\Temporary Internet Files\Content.IE5\S9O22ZVZ\glas[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\cav.bal\Local Settings\Temporary Internet Files\Content.IE5\S9O22ZVZ\idkfa[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\cav.bal\Local Settings\Temporary Internet Files\Content.IE5\S9O22ZVZ\kriv[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Program Files\AntiSpywareMaster\asm.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully. C:\Program Files\Temporary\InsiDERInst.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\WinReanimator\install.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINNT\b152.exe (Trojan.Insider) -> Quarantined and deleted successfully. C:\WINNT\b153.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINNT\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINNT\mrofinu.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINNT\mrofinu1000106.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINNT\mrofinu572.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINNT\CSC\d5\800000B4 (Malware.Trace) -> Quarantined and deleted successfully. C:\WINNT\system32\ceogovkk.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINNT\system32\cumuapux.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\hgayudvq.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\ofwgaspq.dll (Trojan.AVKiller) -> Quarantined and deleted successfully. C:\WINNT\system32\ppc101.exe (Trojan.Pakes) -> Quarantined and deleted successfully. C:\WINNT\system32\pvdahmvh.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\qkocanrl.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\qpnwbabf.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\seflqkkv.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\slwildsx.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\ssqOIXPg.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\vtUnlKDU.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINNT\system32\winivstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINNT\system32\wupxaept.dll (Trojan.AVKiller) -> Quarantined and deleted successfully. C:\WINNT\system32\yaejoshx.dll (Trojan.AVKiller) -> Quarantined and deleted successfully. C:\WINNT\system32\ace2\bmv35gui.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINNT\system32\bharebio01\bharebio011065.exe (Trojan.DownLoader) -> Quarantined and deleted successfully. C:\WINNT\system32\gui4\cegmgr76.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully. C:\Program Files\WinReanimator\un.ico (Rogue.WinReanimator) -> Quarantined and deleted successfully. C:\Program Files\WinReanimator\unzip32.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully. C:\Program Files\WinReanimator\WinReanimator.exe (Rogue.WinReanimator) -> Quarantined and deleted successfully. C:\Program Files\JavaCore\UnInstall.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINNT\system32\qodsddvg.dll (Trojan.Agent) -> Delete on reboot. C:\WINNT\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINNT\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully. C:\WINNT\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully. C:\WINNT\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully. C:\WINNT\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully. C:\WINNT\system32\univrs32.dat (Trojan.Agent) -> Delete on reboot. C:\WINNT\system32\braviax.exe (Trojan.Downloader) -> Delete on reboot. C:\WINNT\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINNT\system32\hnlffuit.dll (Trojan.vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\cav.bal\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> Quarantined and deleted successfully. ***************** Combofix log ***************** ComboFix 08-05-01.3 - cav.bal 2008-05-07 0:47:50.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.129 [GMT 1:00] Running from: C:\Documents and Settings\cav.bal\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\cav.bal\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\cav.bal\Application Data\FNTS~1 C:\Documents and Settings\cav.bal\Application Data\PPATCH~1 C:\Documents and Settings\cav.bal\Application Data\SCURIT~1 C:\Documents and Settings\cav.bal\My Documents\DOBE~1 C:\Documents and Settings\cav.bal\My Documents\MCROSO~1.NET C:\Program Files\Common Files\sks~1 C:\Program Files\Common Files\smante~1 C:\Program Files\Common Files\sstem3~1 C:\Program Files\mantec~1 C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\WINNT\cookies.ini C:\WINNT\pskt.ini C:\WINNT\sstem~1 C:\WINNT\system32\amgncpos.dll C:\WINNT\system32\axqoauup.dll C:\WINNT\system32\bdacbbwg.dll C:\WINNT\system32\braviax.exe C:\WINNT\system32\crosof~1 C:\WINNT\system32\crosof~1.net C:\WINNT\system32\curity~1 C:\WINNT\system32\drtuimqh.ini C:\WINNT\system32\dtmaojgy.ini C:\WINNT\system32\dwqnqvxx.dll C:\WINNT\system32\ecurit~1 C:\WINNT\system32\efcCuVon.dll C:\WINNT\system32\engcjvpv.dll C:\WINNT\system32\faugmjwq.dll C:\WINNT\system32\fnts~1 C:\WINNT\system32\gqmijyqr.dll C:\WINNT\system32\grouppolicy\machine\scripts\scripts.ini C:\WINNT\system32\hminljly.dll C:\WINNT\system32\hpayyckf.ini C:\WINNT\system32\kbuobuue.ini C:\WINNT\system32\kpbcbiue.ini C:\WINNT\system32\lnhcaugy.dll C:\WINNT\system32\lstlbxxq.dll C:\WINNT\system32\mcrh.tmp C:\WINNT\system32\mhmdhpnn.dll C:\WINNT\system32\mjumfhro.dll C:\WINNT\system32\mrtpxcog.ini C:\WINNT\system32\mtacnoqa.dll C:\WINNT\system32\mycobvju.dll C:\WINNT\system32\nunwnsop.dll C:\WINNT\system32\nvsqwjlp.dll C:\WINNT\system32\ogkgmbmm.dll C:\WINNT\system32\qodsddvg.dll C:\WINNT\system32\rkotupdu.ini C:\WINNT\system32\sembly~1 C:\WINNT\system32\stem~1 C:\WINNT\system32\stem32~1 C:\WINNT\system32\tmsewxjy.ini C:\WINNT\system32\tpjuwdqv.dll C:\WINNT\system32\ufhjnjct.dll C:\WINNT\system32\univrs32.dat C:\WINNT\system32\unrnyhhh.dll C:\WINNT\system32\uqffyluq.dll C:\WINNT\system32\vvqtocwx.dll C:\WINNT\system32\vxeqhfpf.dll C:\WINNT\system32\wdanhngy.dll C:\WINNT\system32\wktriurh.dll C:\WINNT\system32\wnsapisv.exe C:\WINNT\system32\wnsxs~1 C:\WINNT\system32\wxmkgeqd.ini C:\WINNT\system32\xcweeogj.ini C:\WINNT\system32\xxywXQGw.dll . ((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 ))))))))))))))))))))))))))))))) . 2008-05-07 00:39 . 2008-05-07 01:02 54,156 --ah----- C:\WINNT\QTFont.qfn 2008-05-07 00:39 . 2008-05-07 00:53 1,409 --a------ C:\WINNT\QTFont.for 2008-05-06 20:05 . 2008-05-06 20:05 <DIR> d-------- C:\Documents and Settings\cav.bal\Application Data\Malwarebytes 2008-05-06 20:04 . 2008-05-06 20:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-06 20:04 . 2008-05-06 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-06 20:04 . 2008-05-05 20:46 27,048 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys 2008-05-06 20:04 . 2008-05-05 20:46 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys 2008-05-06 01:53 . 2008-05-07 00:33 53,312 --------- C:\WINNT\system32\pgmjhwmj.dll 2008-05-05 01:52 . 2008-05-05 01:52 53,312 --a------ C:\WINNT\system32\stbnqsdi.dll 2008-05-05 00:37 . 2008-05-05 00:37 53,312 --a------ C:\WINNT\system32\aciywtwm.dll 2008-05-04 10:18 . 2008-05-04 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-04 10:17 . 2008-05-04 10:30 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-05-04 10:08 . 2008-05-04 10:08 1,482,415 ---hs---- C:\WINNT\system32\drtuimqh.tmp 2008-05-04 10:07 . 2008-05-04 10:07 53,312 --a------ C:\WINNT\system32\adaopcao.dll 2008-05-04 02:29 . 2008-05-04 02:29 <DIR> d-------- C:\Documents and Settings\cav.bal\Application Data\Talkback 2008-05-04 02:18 . 2008-05-04 02:27 <DIR> d-------- C:\Program Files\Panda Security 2008-05-04 02:18 . 2008-05-04 02:23 1,883 --a------ C:\WINNT\mozver.dat 2008-05-04 01:51 . 2008-05-04 01:51 53,312 --a------ C:\WINNT\system32\qifliqrh.dll 2008-05-04 01:32 . 2008-05-04 01:32 53,312 --a------ C:\WINNT\system32\phpiytma.dll 2008-05-04 01:16 . 2008-05-04 01:16 53,312 --a------ C:\WINNT\system32\ljkqnbbl.dll 2008-05-04 00:40 . 2008-05-04 00:40 13,942 --a------ C:\WINNT\system32\N90-002.ico 2008-05-03 01:17 . 2008-05-03 01:17 53,312 --a------ C:\WINNT\system32\bhkxnvxx.dll 2008-05-03 01:13 . 2008-05-05 01:25 345 --ahs---- C:\WINNT\system32\CLUtvGgh.ini 2008-05-02 00:11 . 2003-01-24 09:03 155,648 --a------ C:\WINNT\system32\igfxres.dll 2008-05-01 23:24 . 2008-05-01 23:24 53,312 --a------ C:\WINNT\system32\adqaykde.dll 2008-05-01 23:22 . 2008-05-01 23:22 53,312 --a------ C:\WINNT\system32\cyxjqgiy.dll 2008-04-29 23:54 . 2008-04-29 23:54 53,312 --a------ C:\WINNT\system32\riiyorij.dll 2008-04-26 22:01 . 2008-04-26 22:01 53,312 --a------ C:\WINNT\system32\bgksvhye.dll 2008-04-26 21:41 . 2008-04-26 21:42 53,312 --a------ C:\WINNT\system32\tskwklfn.dll 2008-04-26 21:32 . 2008-05-02 00:11 345 --ahs---- C:\WINNT\system32\bJlUCcdd.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-06 23:58 --------- d-----w C:\Program Files\OfficeScan NT 2008-04-26 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-26 21:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2006-02-13 16:20 32,064 ----a-w C:\Documents and Settings\cav.bal\Application Data\GDIPFONTCACHEV1.DAT 2005-10-21 15:15 184 ----a-w C:\Program Files\INSTALL.LOG 2004-08-03 14:57 6,074,820 ----a-w C:\Program Files\download.zip 2004-06-23 16:03 6,267,888 ----a-w C:\Program Files\visualformatclient.exe 2003-07-17 08:53 94,229,736 ----a-w C:\Program Files\openft.zip 2005-04-26 08:48 57,344 ----a-w C:\Program Files\internet explorer\plugins\PluginWrapper.dll 2007-04-17 20:42 32,768 --sha-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007041720070418\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA38E5B-2AD2-4DD4-A8F5-420FB7D8B162}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA9D4B8-707E-47D7-925B-FA2D81FDDB47}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{387A5B21-F2FE-456A-AC47-CB1956E2A1F2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6376940F-FEA2-493A-8DD6-5CD70214CAEA}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68810DA4-1A9E-45BE-BF89-C937CC27F26E}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22 4670968] "CatUserRun"="exec32 /wh /c chgreg5 /c" [] "ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "JavaCore"="C:\Program Files\\JavaCore\\JavaCore.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2003-01-24 09:05 114688] "RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\\FaxCtrl.exe" [2003-07-17 11:44 114688] "Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [2004-08-04 01:56 143360] "NeroCheck"="C:\Program Files\Ahead\\Nero\NeroCheck.exe" [2001-07-09 12:50 155648] "DirXconnect settings"="C:\\PROGRA~1\sie\DIRXDI~1\dxdSetup.exe" [2000-03-21 10:39 106561] "OfficeScanNT Monitor"="C:\Program Files\OfficeScan NT\pccntmon.exe" [2007-01-08 20:20 356429] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-07 12:58 77824] "Java Profiles Fix"="C:\Program Files\Java\Profile Fix\Java_Profile.exe" [2003-04-30 12:40 32768] "JavaProfileFix2"="C:\Program Files\Java\Profile Fix\Java_Profile_2.exe" [2004-03-04 12:33 36864] "SIECACST"="C:\Program Files\sie\Card API\bin\siecacst.exe" [2005-02-01 10:10 45056] "Discovery User Input"="c:\Discovery\User Input\userin32.exe" [2005-11-10 13:58 212992] "JavaProfileFix3"="C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe" [2005-12-06 12:52 53248] "Migrator"="C:\Program Files\CryptoEx\Migrator\Migrator.exe" [2004-10-26 16:16 290816] "CryptoExTrayV3"="C:\Program Files\CryptoEx\Common\CexTray.exe" [2005-03-01 17:55 909312] "SchedulingAgent_nDG"="C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" [2006-07-27 16:59 1183744] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45 40960] "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592] "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152] "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2008-01-09 08:27 77824] "{F8-87-7D-D6-DW}"="C:\winnt\system32\jpwnw64m.exe" [ ] "g]eeV\mWhjlnspB"="C:\WINNT\system32\ocntqkdn.exe" [ ] "f00f8779"="C:\WINNT\system32\ygjoamtd.dll" [ ] "@"="" [] "runner1"="C:\WINNT\mrofinu572.exe" [ ] "WinReanimator"="C:\Program Files\WinReanimator\winreanimator.exe" [ ] "BMf33cb4e5"="C:\WINNT\system32\engcjvpv.dll" [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"= 0 (0x0) "MaxGPOScriptWait"= 1800 (0x708) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "ConnectHomeDirToRoot"= 0 (0x0) "HideLogonScripts"= 0 (0x0) "EnableProfileQuota"= 1 (0x1) "ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage. "MaxProfileSize"= 10240 (0x2800) "WarnUserTimeout"= 15 (0xf) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoPublishingWizard"= 1 (0x1) "NoWebServices"= 1 (0x1) "NoOnlinePrintsWizard"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"= 0 (0x0) "Btn_Forward"= 0 (0x0) "Btn_Stop"= 0 (0x0) "Btn_Refresh"= 0 (0x0) "Btn_Home"= 0 (0x0) "Btn_Search"= 0 (0x0) "Btn_History"= 0 (0x0) "Btn_Favorites"= 0 (0x0) "Btn_Media"= 0 (0x0) "Btn_Folders"= 0 (0x0) "Btn_Fullscreen"= 0 (0x0) "Btn_Tools"= 0 (0x0) "Btn_MailNews"= 0 (0x0) "Btn_Size"= 0 (0x0) "Btn_Print"= 0 (0x0) "Btn_Edit"= 0 (0x0) "Btn_Discussions"= 0 (0x0) "Btn_Cut"= 0 (0x0) "Btn_Copy"= 0 (0x0) "Btn_Paste"= 0 (0x0) "Btn_Encoding"= 0 (0x0) "Btn_PrintPreview"= 0 (0x0) "NoFavoritesMenu"= 0 (0x0) "NoLogoff"= 0 (0x0) "NoDeletePrinter"= 0 (0x0) "NoAddPrinter"= 0 (0x0) "NoPrinterTabs"= 0 (0x0) "PromptRunasInstallNetPath"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) "DisallowCpl"= 1 (0x1) "NoThumbnailCache"= 1 (0x1) "ForceStartMenuLogOff"= 1 (0x1) "NoResolveSearch"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "GreyMSIAds"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "DisablePersonalDirChange"= 1 (0x1) "NoDesktopCleanupWizard"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) "NoAutoUpdate"= 1 (0x1) "StartRunNoHOMEPATH"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"= 0 (0x0) "Btn_Forward"= 0 (0x0) "Btn_Stop"= 0 (0x0) "Btn_Refresh"= 0 (0x0) "Btn_Home"= 0 (0x0) "Btn_Search"= 0 (0x0) "Btn_History"= 0 (0x0) "Btn_Favorites"= 0 (0x0) "Btn_Media"= 0 (0x0) "Btn_Folders"= 0 (0x0) "Btn_Fullscreen"= 0 (0x0) "Btn_Tools"= 0 (0x0) "Btn_MailNews"= 0 (0x0) "Btn_Size"= 0 (0x0) "Btn_Print"= 0 (0x0) "Btn_Edit"= 0 (0x0) "Btn_Discussions"= 0 (0x0) "Btn_Cut"= 0 (0x0) "Btn_Copy"= 0 (0x0) "Btn_Paste"= 0 (0x0) "Btn_Encoding"= 0 (0x0) "Btn_PrintPreview"= 0 (0x0) "NoActiveDesktopChanges"= 0 (0x0) "NoFavoritesMenu"= 0 (0x0) "NoFind"= 0 (0x0) "NoRun"= 0 (0x0) "NoSetActiveDesktop"= 0 (0x0) "NoLogoff"= 0 (0x0) "NoClose"= 0 (0x0) "NoSetFolders"= 0 (0x0) "NoTrayContextMenu"= 0 (0x0) "NoViewContextMenu"= 0 (0x0) "EnforceShellExtensionSecurity"= 0 (0x0) "NoDeletePrinter"= 0 (0x0) "NoAddPrinter"= 0 (0x0) "NoPrinterTabs"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon] "Shell"="SGPro.exe /shell" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\\WINNT\\system32\\userinit.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CexTrayWinLogon] C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll 2005-01-26 13:25 57344 C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcCuVon] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0] "Script"=CBEShutdown.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\1\0] "Script"=bnls299acmdline.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=catstart.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0] "Script"=\\GB001.sie.net\sysvol\GB001.sie.net\scripts\CatPC\CAT Basic Environment\Setup\Setup.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0] "Script"=DeployCentennialAgent.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0] "Script"=bnls299acmdline.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-1152\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-31563\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-34625\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-450047656-3918250416-1063027673-500\Scripts\Logoff\0\0] "Script"=CBELogoff.bat [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R0 Achernar;Achernar - SCSI Command Filters;C:\WINNT\system32\Drivers\Achernar.sys [2004-02-11 16:34] R2 CBBS;CAT Bulletin Board;C:\Program Files\sie\CAT Bulletin Board\CBBS.exe [2002-06-20 18:52] R2 mgsdl;ManageSoft Peer-to-Peer Download Service;"C:\Program Files\ManageSoft\Launcher\mgsdl.exe" [2006-07-27 16:54] R2 ndGlobalLauncher;ManageSoft installation agent;"C:\Program Files\ManageSoft\Launcher\ndserv.exe" [2006-07-27 16:56] R2 ndinit;ManageSoft managed device;"C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe" [2006-07-27 17:00] R2 openFT FTNEA;openFT Server;"C:\Program Files\openFT\bin\NEACTRLS.EXE" [2002-07-09 18:36] R2 openFT Security Server;openFT Security Server;"C:\Program Files\openFT\bin\SECSERV.EXE" [2002-07-09 18:38] R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINNT\system32\Drivers\Aldebaran.sys [2004-02-11 16:34] S2 CatSystemSvc;CatSystem;C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe [2006-05-02 20:43] S3 BrScnUsb;Brother USB Still Image driver;C:\WINNT\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50] S3 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 03:45] S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53] S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [] *Newly Created Service* - MACROMEDIA_LICENSING_SERVICE . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-07 01:00:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... C:\WINNT\explorer.exe [3348] 0x8328A650 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "g]eeV\\mWhjlnspB"="C:\\WINNT\\system32\\ocntqkdn.exe DWram" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql] "ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER" . ------------------------ Other Running Processes ------------------------ . C:\WINNT\system32\scardsvr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE C:\Program Files\OfficeScan NT\ntrtscan.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe C:\Program Files\OfficeScan NT\tmlisten.exe C:\WINNT\TEMP\EX35A8.EXE C:\WINNT\system32\proquota.exe C:\Program Files\sie\CAT Bulletin Board\CBB.exe C:\Program Files\OfficeScan NT\PccNTUpd.exe C:\Program Files\OfficeScan NT\POP3Trap.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe . ************************************************************************** . Completion time: 2008-05-07 1:13:05 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-07 00:12:55 Pre-Run: 2,751,373,312 bytes free Post-Run: 2,624,106,496 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 356 ******************* DSS log ******************* Deckard's System Scanner v20071014.68 Run by cav.bal on 2008-05-07 01:19:24 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 503 MiB (512 MiB recommended). System Drive C: has 2.48 GiB (less than 15%) free. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-05-07 01:20:02 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.5730.13) Boot mode: Normal Running processes: C:\WINNT\system32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\sie\CAT Bulletin Board\CBBS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE C:\Program Files\ManageSoft\Launcher\mgsdl.exe C:\Program Files\ManageSoft\Launcher\ndserv.exe C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe C:\Program Files\OfficeScan NT\ntrtscan.exe C:\Program Files\openft\bin\secserv.exe C:\WINNT\system32\svchost.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe C:\Program Files\OfficeScan NT\tmlisten.exe C:\Program Files\openft\bin\neactrls.exe C:\WINNT\TEMP\EX35A8.EXE C:\WINNT\system32\proquota.exe C:\Program Files\sie\CAT Bulletin Board\CBB.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\OfficeScan NT\POP3Trap.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\taskmgr.exe C:\Documents and Settings\cav.bal\Desktop\dss(2).exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=localhost:1;socks=proxy1.sbs.sie.co.uk:1080 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=mddmproxy.gb001.sie.net:80 R3 - URLSearchHook: (no name) - {B85A7A3C-BEDA-E62A-F1FB-E93B8602749A} - C:\WINNT\system32\wkz.dll (file missing) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\sie\DIRXDI~1\dxdSetup.exe -silent -dxcsettings O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe O4 - HKLM\..\Run: [SIECACST] C:\Program Files\sie\Card API\bin\siecacst.exe O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe O4 - HKLM\..\Run: [JavaProfileFix3] "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe" O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [{F8-87-7D-D6-DW}] C:\winnt\system32\jpwnw64m.exe DWram O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINNT\system32\ocntqkdn.exe DWram O4 - HKLM\..\Run: [f00f8779] rundll32.exe "C:\WINNT\system32\ygjoamtd.dll",b O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - Startup: Resume Windows Update Installation.lnk = \\gb001.sie.net\DFSroot\LSDP\BR0000023\WinXP\ie6setup.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: https://workplace.sie.net (HKLM) O15 - Trusted Zone: *.microsoft.com (HKCU) O15 - Trusted Zone: *.sap-ag.de (HKCU) O15 - Trusted Zone: *.sap.com (HKCU) O15 - Trusted Zone: *.sap.com (HKCU) O15 - Trusted Zone: https://workplace.sie.net (HKCU) O15 - Trusted IP Range: http://132.186.127.126 (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} () - http://www1.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038 O17 - HKLM\Software\..\Telephony: DomainName = GB001.sie.net O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = GB001.sie.net O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = GB001.sie.net O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = GB001.sie.net O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll O20 - Winlogon Notify: efcCuVon - C:\WINNT\system32\ O23 - Service: CatSystem (CatSystemSvc) - sie AG - C:\WINNT\CATPC\CATSYS\CatSystemSvc.exe O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\sie\CAT Bulletin Board\CBBS.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\system32\DWRCS.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe O23 - Service: openFT Server (openFT FTNEA) - Fujitsu Siemens Computers GmbH - C:\Program Files\openft\bin\neactrls.exe O23 - Service: openFT Security Server - Fujitsu Siemens Computers GmbH - C:\Program Files\openft\bin\secserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe -- End of file - 12248 bytes -- Files created between 2008-04-07 and 2008-05-07 ----------------------------- 2008-05-07 00:44:25 68096 --a------ C:\WINNT\zip.exe 2008-05-07 00:44:25 49152 --a------ C:\WINNT\VFind.exe 2008-05-07 00:44:25 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-05-07 00:44:25 98816 --a------ C:\WINNT\sed.exe 2008-05-07 00:44:25 80412 --a------ C:\WINNT\grep.exe 2008-05-07 00:44:25 73728 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-05-07 00:44:24 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-05-07 00:44:24 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-05-06 20:05:24 0 d-------- C:\Documents and Settings\cav.bal\Application Data\Malwarebytes 2008-05-06 20:04:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-06 20:04:47 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-06 01:53:40 53312 -----n--- C:\WINNT\system32\pgmjhwmj.dll 2008-05-05 01:52:57 53312 --a------ C:\WINNT\system32\stbnqsdi.dll 2008-05-05 00:37:57 53312 --a------ C:\WINNT\system32\aciywtwm.dll 2008-05-04 10:18:58 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-04 10:17:50 0 d-------- C:\Program Files\SpywareBlaster 2008-05-04 10:07:32 53312 --a------ C:\WINNT\system32\adaopcao.dll 2008-05-04 02:29:01 0 d-------- C:\Documents and Settings\cav.bal\Application Data\Talkback 2008-05-04 02:18:08 0 d-------- C:\Program Files\Panda Security 2008-05-04 02:18:03 1883 --a------ C:\WINNT\mozver.dat 2008-05-04 01:51:55 53312 --a------ C:\WINNT\system32\qifliqrh.dll 2008-05-04 01:32:27 53312 --a------ C:\WINNT\system32\phpiytma.dll 2008-05-04 01:16:51 53312 --a------ C:\WINNT\system32\ljkqnbbl.dll 2008-05-03 01:17:38 53312 --a------ C:\WINNT\system32\bhkxnvxx.dll 2008-05-01 23:24:34 53312 --a------ C:\WINNT\system32\adqaykde.dll 2008-05-01 23:22:19 53312 --a------ C:\WINNT\system32\cyxjqgiy.dll 2008-04-29 23:54:56 53312 --a------ C:\WINNT\system32\riiyorij.dll 2008-04-26 22:01:53 53312 --a------ C:\WINNT\system32\bgksvhye.dll 2008-04-26 21:58:53 0 dr-h----- C:\Documents and Settings\cav.bal\Recent 2008-04-26 21:41:59 53312 --a------ C:\WINNT\system32\tskwklfn.dll -- Find3M Report --------------------------------------------------------------- 2008-05-07 01:20:47 0 d-------- C:\Program Files\OfficeScan NT 2008-05-07 00:48:07 0 d-a------ C:\Program Files\Common Files 2008-05-03 01:13:35 937 --a------ C:\WINNT\system32\winpfz33.sys -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are n |
![[SOLVED] Constant Popups](http://www.techsupportforum.com/cwd/iconimages/hijackthis-log-help/solved-constant-popups.gif)