Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Popups - panda says worms & trj Popups - panda says worms & trj
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 05-12-2007, 09:40 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 24
OS: WinXP


Popups - panda says worms & trj
Hi all--
Nasty popups with IE--not firefox though...
Here are the logs:
thanks in advance!!

Deckard's System Scanner v20070426.43
Run by NRT on 2007-05-12 at 22:40:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
78: 2007-05-13 02:40:22 UTC - RP390 - Deckard's System Scanner Restore Point
77: 2007-05-12 17:16:27 UTC - RP389 - System Checkpoint
76: 2007-05-11 13:34:38 UTC - RP388 - System Checkpoint
75: 2007-05-10 13:28:31 UTC - RP387 - Software Distribution Service 2.0
74: 2007-05-10 02:13:58 UTC - RP386 - Software Distribution Service 2.0


-- First Restore Point --
1: 2007-02-12 14:37:10 UTC - RP313 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as NRT.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:44:46 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v9\System\VC9SecS.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\NRT\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\NRT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.163.188.39:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {dfd803ef-7155-4f56-bfcb-a6763d7a3427} - C:\WINDOWS\system32\common.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\tmp2E.tmp.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [batterymiser] "C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\wvttsq.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\pmkjhf.dll",realset
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{494EA3C5-064D-455F-B3FE-2521CF5825B7}: NameServer = 192.168.1.1
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: common - C:\WINDOWS\SYSTEM32\common.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c007AE3E - C:\WINDOWS\system32\__c007AE3E.dat
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\VC9SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Ndisipo (NDIS Protocol Driver for IPO3) - c:\windows\system32\drivers\ndisipo.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 enodpl - c:\windows\system32\drivers\enodpl.sys
R2 tandpl - c:\windows\system32\drivers\tandpl.sys
R3 lgsnd_filter - c:\windows\system32\drivers\lgsnd_filter.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys

S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 HH9Help.sys - c:\windows\system32\drivers\hh9help.sys <Not Verified; H+H Software GmbH; Virtual CD>
S3 PNDIS5 (PNDIS5 NDIS Protocol Driver) - d:\pndis5.sys (file missing)
S3 TDAUSBMU (Panasonic KX-TDA USB Main Unit driver) - c:\windows\system32\drivers\tdausbmu.sys <Not Verified; Panasonic Communications Co., Ltd.; Panasonic KX-TDA USB Main Unit driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>

S3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Scheduled Tasks -------------------------------------------------------------

2006-02-27 09:33:08 102 --a------ C:\WINDOWS\Tasks\Low Battery Alarm Program.job
2006-02-27 09:33:08 102 --a------ C:\WINDOWS\Tasks\Critical Battery Alarm Program.job


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 22:25:05 0 d-------- C:\Program Files\SpywareBlaster
2007-05-12 21:28:30 77 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-05-12 21:28:30 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2007-05-12 21:24:38 0 d-------- C:\WINDOWS\LastGood
2007-05-09 23:00:35 153 --a------ C:\xcrashdump.dat
2007-05-09 22:20:31 0 d-------- C:\Program Files\Windows Media Connect 2
2007-05-09 22:16:02 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-06 10:33:45 11520 -----n--- C:\WINDOWS\system32\drivers\WDMSTUB.sys <Not Verified; Walter Oney Software; Programming the Microsoft Windows Driver Model SP-4>
2007-05-05 23:58:25 11392 --a------ C:\WINDOWS\system32\drivers\HH9Help.sys <Not Verified; H+H Software GmbH; Virtual CD>
2007-05-05 23:57:32 1077248 --a------ C:\WINDOWS\system32\NMSDVDX.dll <Not Verified; NuMedia Soft, Inc.; NMSDVDX SDK>
2007-05-05 23:57:28 315392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll <Not Verified; NCT Company Ltd.; NCTAudioPlayer2 ActiveX DLL>
2007-05-05 23:57:28 1843200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2007-05-05 23:57:10 0 d-------- C:\Program Files\Virtual CD v9
2007-05-05 23:56:25 0 d-------- C:\Documents and Settings\NRT\Application Data\InstallShield
2007-05-04 21:37:15 7296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
2007-05-04 21:37:15 17024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys <Not Verified; Walter Oney Software; >
2007-05-03 21:29:01 4736 --a------ C:\WINDOWS\system32\drivers\tandpl.sys
2007-05-03 21:29:01 7552 --a------ C:\WINDOWS\system32\drivers\enodpl.sys
2007-05-03 21:28:09 0 d-------- C:\Program Files\Magellan
2007-05-02 23:19:59 0 d-------- C:\Program Files\Garmin
2007-05-02 23:19:20 0 d-------- C:\Garmin
2007-04-30 11:02:48 0 d-------- C:\Documents and Settings\NRT\Application Data\Talkback
2007-04-30 10:52:23 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-04-28 12:45:22 0 d-------- C:\WINDOWS\network diagnostic
2007-04-28 12:43:16 0 d-------- C:\Program Files\MSXML 4.0
2007-04-28 12:00:49 36352 -----n--- C:\WINDOWS\system32\__c007AE3E.dat
2007-04-28 10:54:45 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-28 10:13:13 0 d-------- C:\Documents and Settings\NRT\Application Data\Lavasoft
2007-04-28 10:11:44 0 d-------- C:\Program Files\Lavasoft
2007-04-28 10:11:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 20:24:09 22110 --a------ C:\WINDOWS\system32\common.dll


-- Find3M Report ---------------------------------------------------------------

2007-05-12 21:27:28 0 d-------- C:\Program Files\iTunes
2007-05-12 21:27:02 0 d-------- C:\Program Files\MSN Messenger
2007-05-06 10:35:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-06 10:26:01 0 d-------- C:\Documents and Settings\NRT\Application Data\Azureus
2007-05-05 1256 0 d-------- C:\Documents and Settings\NRT\Application Data\Help
2007-05-04 13:50:23 10119 --a------ C:\Documents and Settings\NRT\Application Data\Microsoft Excel.CAL
2007-04-30 10:54:04 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-28 12:25:50 0 d-------- C:\Program Files\Messenger
2007-03-26 22:37:06 0 d-------- C:\Documents and Settings\NRT\Application Data\Adobe
2007-03-25 18:41:05 0 d-------- C:\Program Files\QuickTime
2007-03-25 18:41:05 0 d-------- C:\Program Files\On Screen Display
2007-03-25 18:39:54 37674 --a------ C:\WINDOWS\system32\lsasss.exe
2007-03-25 18:39:54 37674 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-03-25 18:39:54 37674 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-03-25 18:39:54 37674 --a------ C:\WINDOWS\system32\DrvMon.exe
2007-03-22 09:41:25 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-03-22 09:41:04 0 d-------- C:\Program Files\Common Files\Intuit


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{dfd803ef-7155-4f56-bfcb-a6763d7a3427} C:\WINDOWS\system32\common.dll
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A} C:\WINDOWS\system32\tmp2E.tmp.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"KeybdUtility"="\"C:\\Program Files\\On Screen Display\\Hotkey.exe\""
"IPO3"="\"C:\\Program Files\\LG Software\\IP Operator 2005\\IP Operator 2005.exe\" -aUtOsTaRtFrOmReG"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"batterymiser"="\"C:\\Program Files\\LG Software\\Battery Miser 2005\\batterymiser.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\wvttsq.dll\",realset"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"LG Intelligent Update"="\"C:\\Program Files\\lg_swupdate\\autoupdate.exe\" Gilautouc"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AGRSMMSG"="AGRSMMSG.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"VC9Player"="C:\\Program Files\\Virtual CD v9\\System\\VC9Play.exe"
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\pmkjhf.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DrvMon.exe"="C:\\WINDOWS\\system32\\DrvMon.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"="BatteryMiser Psap Shl Ext"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\common
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007AE3E

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"SSScsiSV"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6075f55d-6056-11d9-842d-000e35850151}]
Shell\AutoRun\command H:\loader.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{af892323-6041-11d9-8427-000e35850151}]
Shell\AutoRun\command G:\loader.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_UPNPHOST


-- End of Deckard's System Scanner: finished at 2007-05-12 at 22:45:27 ---------
Attached Files
File Type: txt PandaActivescan.txt (19.8 KB, 0 views)
File Type: txt extra.txt (13.0 KB, 1 views)
dxerboy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-13-2007, 04:36 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Popups - panda says worms & trj
1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-13-2007, 08:36 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 24
OS: WinXP


Re: Popups - panda says worms & trj
"NRT" - 2007-05-13 22:11:59 Service Pack 2
ComboFix 07-05.14.V - Running from: "C:\Documents and Settings\NRT\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\common.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.log
C:\WINDOWS\system32\lsasss.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-12 22:40 <DIR> d-------- C:\Deckard
2007-05-12 22:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-12 15:27 <DIR> d-------- C:\Temp\FrankProtocol
2007-05-12 15:27 <DIR> d-------- C:\Temp\FrankPacManager
2007-05-12 15:27 <DIR> d-------- C:\Temp\FrankMedium
2007-05-12 15:27 <DIR> d-------- C:\Temp\FrankHandler
2007-05-12 15:27 <DIR> d-------- C:\Temp\FrankFormat
2007-05-12 15:27 <DIR> d-------- C:\Temp\FrankDevice
2007-05-12 15:27 <DIR> d-------- C:\Temp\FrankContents
2007-05-12 15:27 <DIR> d-------- C:\Temp\Frank
2007-05-09 23:00 153 --a------ C:\xcrashdump.dat
2007-05-09 22:20 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-05-09 22:16 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-06 10:33 11,520 --------- C:\WINDOWS\system32\drivers\WDMSTUB.sys
2007-05-05 23:58 11,392 --a------ C:\WINDOWS\system32\drivers\HH9Help.sys
2007-05-05 23:58 105,984 --a------ C:\WINDOWS\system32\drivers\vdrv9000.sys
2007-05-05 23:57 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2007-05-05 23:57 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2007-05-05 23:57 1,077,248 --a------ C:\WINDOWS\system32\NMSDVDX.dll
2007-05-05 23:57 <DIR> d-------- C:\Program Files\Virtual CD v9
2007-05-05 23:56 <DIR> d-------- C:\DOCUME~1\NRT\APPLIC~1\InstallShield
2007-05-05 22:22 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-05-04 21:37 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-05-04 21:37 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-05-03 21:29 7,552 --a------ C:\WINDOWS\system32\drivers\enodpl.sys
2007-05-03 21:29 4,736 --a------ C:\WINDOWS\system32\drivers\tandpl.sys
2007-05-03 21:28 <DIR> d-------- C:\Program Files\Magellan
2007-05-02 23:19 <DIR> d-------- C:\Program Files\Garmin
2007-05-02 23:19 <DIR> d-------- C:\Garmin
2007-04-30 11:02 <DIR> d-------- C:\DOCUME~1\NRT\APPLIC~1\Talkback
2007-04-30 10:52 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-30 10:52 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-30 10:51 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-28 12:45 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-28 12:43 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-28 10:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-28 10:13 <DIR> d-------- C:\DOCUME~1\NRT\APPLIC~1\Lavasoft
2007-04-28 10:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-28 10:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-13 01:27:28 -------- d-----w C:\Program Files\iTunes
2007-05-13 01:27:02 -------- d-----w C:\Program Files\MSN Messenger
2007-05-06 14:35:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-06 14:26:01 -------- d-----w C:\DOCUME~1\NRT\APPLIC~1\Azureus
2007-05-05 1656 -------- d-----w C:\DOCUME~1\NRT\APPLIC~1\Help
2007-04-30 14:54:04 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-28 16:25:50 -------- d-----w C:\Program Files\Messenger
2007-03-25 22:41:05 -------- d-----w C:\Program Files\QuickTime
2007-03-25 22:41:05 -------- d-----w C:\Program Files\On Screen Display
2007-03-25 22:39:54 37,674 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-03-25 22:39:54 37,674 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-03-25 22:39:54 37,674 ----a-w C:\WINDOWS\system32\DrvMon.exe
2007-03-22 13:41:25 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-03-22 13:41:04 -------- d-----w C:\Program Files\Common Files\Intuit
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"KeybdUtility"="\"C:\\Program Files\\On Screen Display\\Hotkey.exe\""
"IPO3"="\"C:\\Program Files\\LG Software\\IP Operator 2005\\IP Operator 2005.exe\" -aUtOsTaRtFrOmReG"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"batterymiser"="\"C:\\Program Files\\LG Software\\Battery Miser 2005\\batterymiser.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"LG Intelligent Update"="\"C:\\Program Files\\lg_swupdate\\autoupdate.exe\" Gilautouc"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AGRSMMSG"="AGRSMMSG.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"VC9Player"="C:\\Program Files\\Virtual CD v9\\System\\VC9Play.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-03-25 18:39]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-25 18:39]
"KeybdUtility"="C:\Program Files\On Screen Display\Hotkey.exe" [2007-03-25 18:39]
"IPO3"="C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" [2005-06-17 15:02]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-25 18:39]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-25 18:39]
"batterymiser"="C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe" [2007-03-25 18:39]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-25 18:39]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 01:05]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29]
"LG Intelligent Update"="C:\Program Files\lg_swupdate\autoupdate.exe" [2005-07-07 13:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Cmaudio"="cmicnfg.cpl,CMICtrlWnd" [])
"AGRSMMSG"="AGRSMMSG.exe" [])
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12]
"VC9Player"="C:\Program Files\Virtual CD v9\System\VC9Play.exe" [2007-04-12 12:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2007-03-25 18:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DrvMon.exe"="C:\\WINDOWS\\system32\\DrvMon.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"="C:\WINDOWS\system32\bmpsap.dll" [2005-06-02 18:26]


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007AE3E

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"SSScsiSV"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6075f55d-6056-11d9-842d-000e35850151}]
Shell\AutoRun\command H:\loader.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f6b1476-fab2-11db-bd0a-0013ce27d93c}]
Shell\AutoRun\command F:\autorun.EXE auto

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{af892323-6041-11d9-8427-000e35850151}]
Shell\AutoRun\command G:\loader.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Critical Battery Alarm Program.job
C:\WINDOWS\tasks\Low Battery Alarm Program.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 22:26:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 22:29:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-13 22:29
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\common.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.log
C:\WINDOWS\system32\lsasss.exe


((((((((((((((((((((((((((((((( Files Created from 05/1-01-07 to 05/13/2007 ))))))))))))))))))))))))))))))))))


Logfile of HijackThis v1.99.1
Scan saved at 10:35:08 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v9\System\VC9SecS.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\7196.cfexe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.163.188.39:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [batterymiser] "C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{494EA3C5-064D-455F-B3FE-2521CF5825B7}: NameServer = 192.168.1.1
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c007AE3E - C:\WINDOWS\system32\__c007AE3E.dat (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\VC9SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
dxerboy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2007, 12:20 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Popups - panda says worms & trj
Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: __c007AE3E - C:\WINDOWS\system32\__c007AE3E.dat (file missing)


---------------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2007, 01:08 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 24
OS: WinXP


Re: Popups - panda says worms & trj
Hi, thanks for all your help--
I did get an error when trying to "fix" what you suggested in Hijack This--I've posted the error message first. Things seem better--I am not currently experiencing any popups even though I've left IE open to "test" for problems. However, as you can see, kaspersky still found some issues.
Thanks again for you help so far!

Here's the error message from HJT:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 14, 2007 2:30:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/05/2007
Kaspersky Anti-Virus database records: 320277
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 77802
Number of viruses found: 5
Number of infected objects: 32 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:20:23

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\NRT\LOCALS~1\Temp\tmp2E.tmp.exe Infected: Trojan.Win32.BHO.g skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\svcipa.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NRT\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\cert8.db Object is locked skipped
C:\Documents and Settings\NRT\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\history.dat Object is locked skipped
C:\Documents and Settings\NRT\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\key3.db Object is locked skipped
C:\Documents and Settings\NRT\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\parent.lock Object is locked skipped
C:\Documents and Settings\NRT\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\search.sqlite Object is locked skipped
C:\Documents and Settings\NRT\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\NRT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Application Data\Mozilla\Firefox\Profiles\1jxp2nqs.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\NRT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NRT\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NRT\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-05-13.22-23-33.log Object is locked skipped
C:\Program Files\CampBrain4\WinVNC\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\Log\CHANNEL.LOG Object is locked skipped
C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\On Screen Display\Hotkey.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lsasss.exe.vir Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017260.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017261.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017262.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017263.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017264.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017265.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017266.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017267.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP340\A0017269.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP344\A0017485.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP359\A0018600.dll Infected: Packed.Win32.Klone.k skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP360\A0018649.exe Infected: Trojan-Downloader.Win32.ConHook.ah skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP387\A0020800.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP387\A0020801.exe Infected: Trojan-Downloader.Win32.ConHook.ah skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP388\A0020879.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP390\A0021076.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{12791FF5-FDFF-47D0-84C2-5AB9EF352A84}\RP391\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Installations\{F7501515-3C78-4F22-9B8B-D4B993A150AE}\CampBrain 4.14.msi/Data1.cab/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\WINDOWS\Downloaded Installations\{F7501515-3C78-4F22-9B8B-D4B993A150AE}\CampBrain 4.14.msi/Data1.cab Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\WINDOWS\Downloaded Installations\{F7501515-3C78-4F22-9B8B-D4B993A150AE}\CampBrain 4.14.msi Embedded: infected - 2 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bak\lsasss.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5773.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\DrvMon.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hkcmd.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\system32\igfxtray.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.






Logfile of HijackThis v1.99.1
Scan saved at 3:03:58 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v9\System\VC9SecS.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\7196.cfexe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.163.188.39:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [batterymiser] "C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{494EA3C5-064D-455F-B3FE-2521CF5825B7}: NameServer = 192.168.1.1
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\VC9SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
dxerboy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2007, 01:23 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Popups - panda says worms & trj
Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) and save it to your desktop:
Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-14-2007, 02:36 PM   #7 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 24
OS: WinXP


Re: Popups - panda says worms & trj
Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ONSCRE~1\BAK

01/04/2005 09:17 PM 73,728 Hotkey.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

06/15/2004 09:30 AM 53,248 DrvMon.exe
10/08/2004 12:27 PM 126,976 hkcmd.exe
10/08/2004 12:31 PM 155,648 igfxtray.exe
03/21/2007 08:47 AM 37,894 lsasss.exe
01/28/2002 01:48 PM 885,760 LXSUPMON.EXE
5 File(s) 1,259,526 bytes

Directory of C:\PROGRA~1\LGSOFT~1\BATTER~1\BAK

06/02/2005 06:31 PM 335,872 batterymiser.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\LGSOFT~1\IPOPER~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

10/29/2004 02:01 PM 688,218 SynTPEnh.exe
10/29/2004 02:02 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK

08/04/2004 08:00 AM 158,208 MSConfig.exe
1 File(s) 158,208 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

37674 Mar 25 2007 "C:\Program Files\On Screen Display\Hotkey.exe"
73728 Jan 4 2005 "C:\Program Files\On Screen Display\bak\Hotkey.exe"
37674 Mar 25 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
37674 Mar 25 2007 "C:\WINDOWS\system32\DrvMon.exe"
53248 Jun 15 2004 "C:\WINDOWS\system32\bak\DrvMon.exe"
37674 Mar 25 2007 "C:\WINDOWS\system32\hkcmd.exe"
126976 Oct 8 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
37674 Mar 25 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
37894 Mar 21 2007 "C:\WINDOWS\system32\bak\lsasss.exe"
885760 Jan 28 2002 "C:\WINDOWS\system32\bak\LXSUPMON.EXE"
885760 Jan 28 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\LXSUPMON.EXE"
885760 Jan 28 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\LXSUPMON.EXE"
885760 Jan 28 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_z25_z7de0\LXSUPMON.EXE"
37674 Mar 25 2007 "C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe"
335872 Jun 2 2005 "C:\Program Files\LG Software\Battery Miser 2005\bak\batterymiser.exe"
37674 Mar 25 2007 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Oct 29 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Oct 29 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
37674 Mar 25 2007 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Oct 29 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Oct 29 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
158208 Aug 4 2004 "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"
158208 Aug 4 2004 "C:\WINDOWS\pchealth\helpctr\binaries\bak\MSConfig.exe"


end of report
dxerboy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in Technorati