|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-13-2007, 03:57 PM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 8
OS: winxp
|
IE Malware
hi
I am having a problem with IE every time i start it throws error "http://r1.automaticavupdate.com/?wmid=12'.make sure the path or internet address is correct " and every few mins its buzzing and looks suspicious to me i searched the forum for similar issue and found that i need to run combo fix and post the log i ran the combofix but the problem still persists .. here is the output of combofix... hijack this log -------------------- ComboFix 07-12-12.3 - mahesh 2007-12-13 14:02:29.1 - NTFSx86 Running from: C:\Documents and Settings\mgundaga\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Mahesh\Application Data\hidires C:\Documents and Settings\Mahesh\Application Data\tmp1EC.tmp.exe C:\Documents and Settings\mgundaga\Application Data\hidires C:\Program Files\Outlook Express\vikojido.html C:\Program Files\poolsv C:\Program Files\poolsv\is67969.exe C:\Program Files\poolsv\k11u72.exe C:\Program Files\poolsv\svhost.exe C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe C:\Program Files\poolsv\wr-1-0000077.exe C:\Program Files\poolsv\YazzleBundle-1549.exe C:\Program Files\SoftPortal C:\Program Files\SoftPortal\Soft\ATGE\ui.uim C:\Program Files\SoftPortal\Soft\ATHtBt\ui.uim C:\Program Files\SoftPortal\Soft\info.txt C:\Program Files\SoftPortal\Soft\RTNKa\ui.uim C:\Program Files\SoftPortal\Soft\SProxy\ui.uim C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WA6P C:\WINDOWS\cookies.ini C:\WINDOWS\exefld C:\WINDOWS\msettings.ini C:\WINDOWS\system32\B1 C:\WINDOWS\system32\dn7c495583.dat C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\head.exe C:\WINDOWS\system32\rtnka.dat C:\WINDOWS\system32\rtnka.dll C:\WINDOWS\system32\SoUI.dll C:\WINDOWS\system32\stera.log C:\WINDOWS\system32\tmp8B.tmp.dll C:\WINDOWS\system32\win C:\WINDOWS\system32\XPEntertainmentsUninstall.exe C:\WINDOWS\system32\Y1 C:\WINDOWS\system32\Y2 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\FWSvc ((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 ))))))))))))))))))))))))))))))) . 2007-11-29 11:19 . 2007-11-29 11:19 <DIR> d-------- C:\Program Files\MSECache 2007-11-16 17:46 . 2007-11-16 17:46 <DIR> d-------- C:\Program Files\WinSCP 2007-11-16 14:01 . 2007-11-16 14:01 <DIR> d-------- C:\Documents and Settings\mgundaga\Application Data\VanDyke 2007-11-16 14:00 . 2007-11-16 14:01 <DIR> d-------- C:\Program Files\SecureCRT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-08 00:33 --------- d-----w C:\Program Files\CA 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-12 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2007-11-12 20:42 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-12 20:21 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2007-11-07 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\iPass 2007-11-07 17:33 21,393 ----a-w C:\WINDOWS\system32\drivers\iPassP.sys 2007-11-07 03:00 --------- d-----w C:\Program Files\iTunes 2007-11-07 01:48 --------- d-----w C:\Program Files\Visto 2007-11-07 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\ViAir 2007-11-05 18:55 --------- d-----w C:\Documents and Settings\mgundaga\Application Data\Aventail 2007-10-19 05:14 184,080 ----a-w C:\WINDOWS\system32\drivers\ino_fltr.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}] C:\WINDOWS\system32\l3acdb.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HtBtShell] @={282E8AE5-A8E3-412D-B40C-F5080832FFE0} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\RTNK.a] @={75DDDA33-AB99-7627-A1D3-79C28514C738} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SProxy] @={87206A02-9776-6AD1-C5D3-A1C3CC3D74CB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TSoUIShell] @={4748B0B3-B964-41C3-AE0A-F1345E0AC3C9} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1] @={E4000AC4-5E5F-4956-807A-C5854405D64F} [HKEY_CLASSES_ROOT\CLSID\{282E8AE5-A8E3-412D-B40C-F5080832FFE0}] 2007-10-09 06:04 1596416 --a------ C:\WINDOWS\system32\HtBt.dll [HKEY_CLASSES_ROOT\CLSID\{75DDDA33-AB99-7627-A1D3-79C28514C738}] C:\WINDOWS\system32\\rtnka.dll [HKEY_CLASSES_ROOT\CLSID\{87206A02-9776-6AD1-C5D3-A1C3CC3D74CB}] 2007-10-14 05:41 2142 --a------ C:\WINDOWS\system32\SProxy.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 08:19] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 07:11] "CAF_SystemTray"="C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe" [2006-05-03 15:52] "DsmSxplog"="C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe" [2006-05-03 19:55] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00] "Realtime Monitor"="C:\Program Files\CA\eTrustITM\realmon.exe" [2005-12-10 00:57] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 01:04] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 01:03] "iPassConnect"="C:\Program Files\iPass\iPass Trial Account\iPassConnectGUI.exe" [2007-10-25 10:32] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-13 20:30] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-07 17:45] "DesktopAssistant"="C:\Program Files\Visto\Desktop Assistant\vdac.exe" [2007-10-31 16:32] C:\Documents and Settings\en42\Start Menu\Programs\Startup\ VirtualExpander.lnk - C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe [2007-06-20 18:34:26] C:\Documents and Settings\mgundaga\Start Menu\Programs\Startup\ dtNotes.lnk - C:\Program Files\dtNotes 4\dtnotes.exe [2007-01-09 04:44:42] Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 09:57:16] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2005-04-03 13:14:48] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispBackgroundPage"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceStartMenuLogOff"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoStartMenuNetworkPlaces"= 1 (0x1) "NoHardwareTab"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoStartMenuMyMusic"= 1 (0x1) "Intellimenus"= 1 (0x1) "NoSMBalloonTip"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "ForceClassicControlPanel"= 1 (0x1) "NoSimpleStartMenu"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF] C:\Program Files\CA\Unicenter DSM\Bin\cfwlogon.dll 2006-05-03 15:52 22016 C:\Program Files\CA\Unicenter DSM\bin\cfWlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rcHostExt] C:\Program Files\CA\Unicenter DSM\Bin\rcLoginExt.dll 2006-05-03 15:54 4608 C:\Program Files\CA\Unicenter DSM\bin\rcLoginExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\mljghij.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-836478959-809369166-3190043198-5710\Scripts\Logon\0\0] "Script"=Scanjob.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-836478959-809369166-3190043198-5710\Scripts\Logon\1\0] "Script"=logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-836478959-809369166-3190043198-5710\Scripts\Logon\1\1] "Script"=drives.bat SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @="Driver Group" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] @="DiskDrive" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}] @="Hdc" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}] @="Keyboard" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}] @="Mouse" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}] @="System" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @="Volume" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6] C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe /min [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_check] C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS] C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe /min [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_check] C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] 2005-11-28 12:52 77824 -ra------ C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-11-28 12:55 118784 -ra------ C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2005-11-28 12:55 98304 -ra------ C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-09-13 20:30 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv] C:\WINDOWS\poolsv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2007-08-10 11:36 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwa6pcw] C:\Program Files\Common Files\WinAntiVirus Pro 2006\uwa6pcw.exe -c [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet R2 CA eTrust VM Service;CA eTrust VM Service;"C:\Program Files\CA\eTrust\VM Service\CAeVMS.exe" R2 iPassP;iPass Protocol (IEEE 802.1x) v3.7.4.0;C:\WINDOWS\system32\DRIVERS\iPassP.sys R2 iPassPeriodicUpdateService;iPassPeriodicUpdateService;"C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateService.exe" R2 WatchDog;Visto WatchDog;"C:\Program Files\Visto\Desktop Assistant\WatchDog.exe" R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys R3 rcVidCap;rcVidCap;C:\WINDOWS\system32\DRIVERS\rcVidMpt.sys R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys S3 iPassPeriodicUpdateApp;iPassPeriodicUpdateApp;"C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateApp.exe" S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys S3 WatchDogSvc;WatchDogSvc;C:\Program Files\Visto\Desktop Assistant\WatchDog.exe Start Pending2 caf;CA Unicenter DSM r11 Common Application Framework.;"C:\Program Files\CA\Unicenter DSM\Bin\caf.exe" service Start Pending2 VDACSvc;Visto Desktop Assistant;C:\Program Files\Visto\Desktop Assistant\vdac.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b320e1d-2049-11dc-a2b6-0016d32abdaf}] \Shell\AutoRun\command - F:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder "2007-12-13 01:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-13 18:33:47 C:\WINDOWS\Tasks\At1.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-12 17:00:00 C:\WINDOWS\Tasks\At10.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-12 18:00:00 C:\WINDOWS\Tasks\At11.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 19:00:00 C:\WINDOWS\Tasks\At12.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 20:00:00 C:\WINDOWS\Tasks\At13.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 21:00:00 C:\WINDOWS\Tasks\At14.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 22:00:00 C:\WINDOWS\Tasks\At15.job" "2007-12-12 23:00:00 C:\WINDOWS\Tasks\At16.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 00:00:01 C:\WINDOWS\Tasks\At17.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 01:00:04 C:\WINDOWS\Tasks\At18.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-12 02:00:00 C:\WINDOWS\Tasks\At19.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-11-09 09:00:00 C:\WINDOWS\Tasks\At2.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-12 03:00:00 C:\WINDOWS\Tasks\At20.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 04:00:00 C:\WINDOWS\Tasks\At21.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 05:00:00 C:\WINDOWS\Tasks\At22.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-11 06:00:00 C:\WINDOWS\Tasks\At23.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 07:00:01 C:\WINDOWS\Tasks\At24.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-13 18:33:51 C:\WINDOWS\Tasks\At25.job" "2007-11-09 09:00:00 C:\WINDOWS\Tasks\At26.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-11-07 10:00:00 C:\WINDOWS\Tasks\At27.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-08-20 10:00:00 C:\WINDOWS\Tasks\At28.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-08-20 11:00:00 C:\WINDOWS\Tasks\At29.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-11-07 10:00:00 C:\WINDOWS\Tasks\At3.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-08-20 12:00:00 C:\WINDOWS\Tasks\At30.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-11-04 00:30:00 C:\WINDOWS\Tasks\At31.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-11-10 15:00:00 C:\WINDOWS\Tasks\At32.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-11-10 16:00:00 C:\WINDOWS\Tasks\At33.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-12 17:00:00 C:\WINDOWS\Tasks\At34.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-12 18:00:00 C:\WINDOWS\Tasks\At35.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 19:00:00 C:\WINDOWS\Tasks\At36.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 20:00:00 C:\WINDOWS\Tasks\At37.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 21:00:00 C:\WINDOWS\Tasks\At38.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 22:00:00 C:\WINDOWS\Tasks\At39.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-08-20 10:00:00 C:\WINDOWS\Tasks\At4.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-12-12 23:00:00 C:\WINDOWS\Tasks\At40.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 00:00:01 C:\WINDOWS\Tasks\At41.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 01:00:05 C:\WINDOWS\Tasks\At42.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-12 02:00:00 C:\WINDOWS\Tasks\At43.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-12 03:00:00 C:\WINDOWS\Tasks\At44.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 04:00:00 C:\WINDOWS\Tasks\At45.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 05:00:00 C:\WINDOWS\Tasks\At46.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-11 06:00:00 C:\WINDOWS\Tasks\At47.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-12-13 07:00:02 C:\WINDOWS\Tasks\At48.job" - C:\WINDOWS\system32\13k1sk1m.exe "2007-08-20 11:00:00 C:\WINDOWS\Tasks\At5.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-08-20 12:00:00 C:\WINDOWS\Tasks\At6.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-11-04 00:30:00 C:\WINDOWS\Tasks\At7.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-11-10 15:00:00 C:\WINDOWS\Tasks\At8.job" - C:\WINDOWS\system32\0c2mdJjQ.exe "2007-11-10 16:00:00 C:\WINDOWS\Tasks\At9.job" - C:\WINDOWS\system32\0c2mdJjQ.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-13 14:11:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-13 14:12:40 - machine was rebooted . 2007-12-12 17:08:13 --- E O F --- please help me on this. |
|
     |
|
12-14-2007, 01:37 PM
|
#2 (permalink) | |
|
Registered User
Join Date: Dec 2007
Posts: 8
OS: winxp
|
Re: IE Malware please help urgent !!!
Quote:
|
|
|
|
|
|
12-17-2007, 04:04 AM
|
#3 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 3,045
OS: XP
|
Re: IE Malware
Hi, sorry for the delay.
If you still need help, Please click Here to download HijackThis to your desktop. Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install. It will be installed by default here: C:\Program Files\Trend Micro\HijackThis A shortcut to the application will also be placed on your Desktop. The program will open automatically after installation. You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder. Click on "Do a system scan and save logfile" When the log pops up in Notepad, copy and paste that file back here.
__________________
Proud member of UNITE and ASAP since 2006  If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
12-17-2007, 12:57 PM
|
#4 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 8
OS: winxp
|
Re: IE Malware
Thanks for the reply, here is the Hijack this log file. Please help as I still have problems with my IE
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:54, on 2007-12-17 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\CA\eTrust\VM Service\CAeVMS.exe C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe C:\Program Files\CA\eTrustITM\InoRpc.exe C:\Program Files\CA\eTrustITM\InoRT.exe C:\Program Files\CA\eTrustITM\InoTask.exe C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\eTrustITM\eaps.exe C:\Program Files\Visto\Desktop Assistant\WatchDog.exe C:\Program Files\CA\Unicenter DSM\Bin\caf.exe C:\Program Files\CA\Unicenter DSM\Bin\cfsmsmd.exe C:\Program Files\CA\Unicenter DSM\Bin\ccnfagent.exe C:\Program Files\CA\Unicenter DSM\Bin\cfnotsrvd.exe C:\Program Files\CA\Unicenter DSM\Bin\ccsmagtd.exe C:\Program Files\CA\Unicenter DSM\Bin\rcHost.exe C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe C:\Program Files\CA\Unicenter DSM\Bin\cfftplugin.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\CA\eTrustITM\realmon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CA\Unicenter DSM\Bin\sxplog32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Citrix\ICA Client\pnagent.exe C:\Program Files\dtNotes 4\dtnotes.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateApp.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\iPass\iPass Trial Account\iPassConnectGUI.exe C:\Program Files\iPass\iPass Trial Account\iPassConnectEngine.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iPass\iPass Trial Account\downloader\iPCCheck.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...3&p1=6&p2=tour R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.corio.com;170.225.43.0;170.225.44.0;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb.dll (file missing) O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe" O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [iPassConnect] "C:\Program Files\iPass\iPass Trial Account\iPassConnectGUI.exe" /S O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DesktopAssistant] C:\Program Files\Visto\Desktop Assistant\vdac.exe" /client /tray O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-746137067-57989841-839522115-14104\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart (User '?') O4 - HKUS\S-1-5-21-746137067-57989841-839522115-14104\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?') O4 - HKUS\S-1-5-21-746137067-57989841-839522115-14104\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?') O4 - HKUS\S-1-5-21-746137067-57989841-839522115-14104\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User '?') O4 - HKUS\S-1-5-21-746137067-57989841-839522115-14104\..\Run: [World Clocks Wallpaper] C:\Program Files\WorldClocksWallpaper\WorldClocksWallpaper.exe (User '?') O4 - HKUS\S-1-5-21-746137067-57989841-839522115-14104\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-746137067-57989841-839522115-14104\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?') O4 - HKUS\S-1-5-21-746137067-57989841-839522115-9706\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-836478959-809369166-3190043198-2293\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'mkumar') O4 - S-1-5-21-746137067-57989841-839522115-14104 Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe (User '?') O4 - S-1-5-21-746137067-57989841-839522115-14104 Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe (User '?') O4 - Startup: dtNotes.lnk = C:\Program Files\dtNotes 4\dtnotes.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...?noreloadredir O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www-1.ibm.com/qp2.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/21.13/uploader2.cab O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://220.227.123.11/postauthI/epi.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188993175703 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194465629455 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = US.TESCO.ORG O17 - HKLM\Software\..\Telephony: DomainName = US.TESCO.ORG O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = US.TESCO.ORG O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = in.tesco.org,tsl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.85 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = in.tesco.org,tsl O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.85 O20 - AppInit_DLLs: c:\windows\system32\mljghij.dll O20 - Winlogon Notify: CAF - C:\Program Files\CA\Unicenter DSM\Bin\cfwlogon.dll O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\Unicenter DSM\Bin\rcLoginExt.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CA eTrust VM Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\VM Service\CAeVMS.exe O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter DSM\Bin\caf.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPass Trial Account\iPassConnectEngine.exe O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateApp.exe O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Visto Desktop Assistant (VDACSvc) - Visto Corporation, Inc. - C:\Program Files\Visto\Desktop Assistant\vdac.exe O23 - Service: Visto WatchDog (WatchDog) - Visto Corp. - C:\Program Files\Visto\Desktop Assistant\WatchDog.exe O23 - Service: WatchDogSvc - Visto Corp. - C:\Program Files\Visto\Desktop Assistant\WatchDog.exe -- End of file - 13420 bytes |
|
|
|
|
12-18-2007, 01:23 AM
|
#5 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 3,045
OS: XP
|
Re: IE Malware
Hi,
You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/lonny/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Note: If you have Internet connection problems find and double left click the registry file dnsbak.reg located here: C:\Fixwareout\dnsbak.reg and if you did, be sure to mention it to your helper. Next: A text will open, Please post the contents for your forum helper. Click OK to continue. ______ Please download SafeBootKeyRepair Save it to your desktop. Double click to run it then post the log it produces. ______ delete your copy of combofix.exe Download combofix.exe
HJT Uninstall list
On your next reply, please include a
__________________
Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. Last edited by Angelfire777 : 12-18-2007 at 01:26 AM. |
|
|
|
|
12-18-2007, 07:58 PM
|
#6 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 8
OS: winxp
|
Re: IE Malware
On your next reply, please include a 1 * Fresh HijackThis log. 2 * combofix log 3 * HJT uninstall list 4* fixwareout log 5 * safebootkeyrepair log __________________ Angelfire777 hiii thx for ur reply, here is the info you asked for 1. New Hijack this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:07, on 2007-12-18 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\CA\eTrust\VM Service\CAeVMS.exe C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe C:\Program Files\CA\eTrustITM\InoRpc.exe C:\Program Files\CA\eTrustITM\InoRT.exe C:\Program Files\CA\eTrustITM\InoTask.exe C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrustITM\eaps.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\Unicenter DSM\Bin\caf.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\CA\eTrustITM\realmon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CA\Unicenter DSM\Bin\sxplog32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Citrix\ICA Client\pnagent.exe C:\Program Files\dtNotes 4\dtnotes.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\CA\Unicenter DSM\Bin\cfsmsmd.exe C:\Program Files\CA\Unicenter DSM\Bin\ccnfagent.exe C:\Program Files\CA\Unicenter DSM\Bin\cfnotsrvd.exe C:\Program Files\CA\Unicenter DSM\Bin\ccsmagtd.exe C:\Program Files\CA\Unicenter DSM\Bin\rcHost.exe C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe C:\Program Files\CA\Unicenter DSM\Bin\cfftplugin.exe C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateApp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...3&p1=6&p2=tour R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.corio.com;170.225.43.0;170.225.44.0;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb.dll (file missing) O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe" O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [iPassConnect] "C:\Program Files\iPass\iPass Trial Account\iPassConnectGUI.exe" /S O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: dtNotes.lnk = C:\Program Files\dtNotes 4\dtnotes.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...?noreloadredir O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www-1.ibm.com/qp2.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/21.13/uploader2.cab O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://220.227.123.11/postauthI/epi.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188993175703 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194465629455 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = US.TESCO.ORG O17 - HKLM\Software\..\Telephony: DomainName = US.TESCO.ORG O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = US.TESCO.ORG O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = in.tesco.org,tsl O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = in.tesco.org,tsl O20 - AppInit_DLLs: c:\windows\system32\mljghij.dll O20 - Winlogon Notify: CAF - C:\Program Files\CA\Unicenter DSM\Bin\cfwlogon.dll O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\Unicenter DSM\Bin\rcLoginExt.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CA eTrust VM Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\VM Service\CAeVMS.exe O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter DSM\Bin\caf.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPass Trial Account\iPassConnectEngine.exe O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateApp.exe O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Visto WatchDog (WatchDog) - Unknown owner - C:\Program Files\Visto\Desktop Assistant\WatchDog.exe (file missing) -- End of file - 10480 bytes 2. New Combofix log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:07, on 2007-12-18 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\CA\eTrust\VM Service\CAeVMS.exe C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe C:\Program Files\CA\eTrustITM\InoRpc.exe C:\Program Files\CA\eTrustITM\InoRT.exe C:\Program Files\CA\eTrustITM\InoTask.exe C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrustITM\eaps.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\Unicenter DSM\Bin\caf.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\CA\eTrustITM\realmon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CA\Unicenter DSM\Bin\sxplog32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Citrix\ICA Client\pnagent.exe C:\Program Files\dtNotes 4\dtnotes.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\CA\Unicenter DSM\Bin\cfsmsmd.exe C:\Program Files\CA\Unicenter DSM\Bin\ccnfagent.exe C:\Program Files\CA\Unicenter DSM\Bin\cfnotsrvd.exe C:\Program Files\CA\Unicenter DSM\Bin\ccsmagtd.exe C:\Program Files\CA\Unicenter DSM\Bin\rcHost.exe C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe C:\Program Files\CA\Unicenter DSM\Bin\cfftplugin.exe C:\Program Files\iPass\iPass Trial Account\iPassPeriodicUpdateApp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...3&p1=6&p2=tour R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.corio.com;170.225.43.0;170.225.44.0;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb.dll (file missing) O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe" O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [iPassConnect] "C:\Program Files\iPass\iPass Trial Account\iPassConnectGUI.exe" /S O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iT |
