|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-02-2007, 05:26 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Pop ups, software loading, New Malware.aj
Hello:
While using IE, I am plauged by periodic constant pop-ups, attempted software downloads and secirity setting changes to IE, specifically to my cookie handling which keeps getting changed to accept all. When I run a manual scan using McAfee VS, I get a number of cookies that are removed as well as a "tmp80.tmp.exe" and "tmp98.tmp.exe" files in my c:\Documents and Settings\"user name"\Application Data folder. The number in the "tmp" file name is always different, and sometimes there are more than one. McAfee labels the files as Trojan New Malware.aj I have followed all instructions in the 5 step process with the exception of the Panda online scan. It will not execute (I get to the point where I select "My Computer" and the scan says it is not able to run and to try again). Deckard's System Scanner v20070426.43 Run by Mark L. VanRotz on 2007-06-01 at 23:53:53 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 3 Restore Point(s) -- 3: 2007-06-02 03:54:07 UTC - RP1468 - Deckard's System Scanner Restore Point 2: 2007-06-01 21:25:03 UTC - RP1467 - Removed Java 2 Runtime Environment, SE v1.4.1_03 1: 2007-05-29 23:09:41 UTC - RP1466 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Mark L. VanRotz.exe) ------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:01:06 AM, on 6/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Lexmark 7100 Series\lxbxmon.exe C:\Program Files\Lexmark 7100 Series\ezprint.exe D:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe D:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\lxbxcoms.exe D:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Mark L. VanRotz\Desktop\dss.exe C:\WINDOWS\system32\msiexec.exe C:\PROGRA~1\HIJACK~1\Mark L. VanRotz.exe C:\WINDOWS\system32\taskmgr.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/My%20Documents/WebPage/Firehawk/index2.htm O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: (no name) - {d48e3756-0a61-4bd2-af6f-a60b584ed98c} - C:\WINDOWS\system32\icfDDC.dll O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINDOWS\system32\tmp9B.tmp.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\byywus.dll",realset O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [ATI Scheduler] D:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - Startup: HOTSYNC.lnk = D:\Program Files\Palm\HOTSYNC.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab O16 - DPF: {F5932B1A-DC5A-4408-956D-B1CAD89F2ACC} - https://www.gleim.com/data/tp4/webdeploy/webinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7744BCD8-D8E6-467F-B3BE-F8A7ED7CE765}: NameServer = 192.168.1.1 O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O20 - AppInit_DLLs: c:\windows\system32\mljjjgf.dll O20 - Winlogon Notify: blasdes - C:\WINDOWS\SYSTEM32\blasdes.dll O20 - Winlogon Notify: dplrls - C:\WINDOWS\SYSTEM32\dplrls.dll O20 - Winlogon Notify: icfDDC - C:\WINDOWS\SYSTEM32\icfDDC.dll O20 - Winlogon Notify: iprkup - C:\WINDOWS\SYSTEM32\iprkup.dll O20 - Winlogon Notify: lxbsic - C:\WINDOWS\SYSTEM32\lxbsic.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product> R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client> S2 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client> S3 IPFilter (Microsoft IntelliPoint Features driver) - c:\windows\system32\drivers\ipfilter.sys <Not Verified; Microsoft Corporation; Microsoft IntelliPoint> S3 nuvaudio (NUVision Audio Service) - c:\windows\system32\drivers\nuvaudio.sys <Not Verified; Zoran Ltd.; USBVision> S3 NUVision (%ServiceDescription%) - c:\windows\system32\drivers\nuvision.sys <Not Verified; Zoran Ltd.; USBVision> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> S4 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; > -- Scheduled Tasks ------------------------------------------------------------- 2007-05-24 22:50:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2007-03-15 01:01:04 284 --a------ C:\WINDOWS\Tasks\McDefragTask.job 2007-03-01 02:03:44 376 --a------ C:\WINDOWS\Tasks\McQcTask.job -- Files created between 2007-05-02 and 2007-06-02 ----------------------------- 2007-06-01 23:33:41 0 d-------- C:\ie-spyad 2007-06-01 23:23:45 106623 --a------ C:\WINDOWS\byywus.dll 2007-06-01 23:10:49 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 23:10:46 0 d-------- C:\WINDOWS\LastGood 2007-06-01 18:21:14 37411 --a------ C:\WINDOWS\system32\icfDDC.dll 2007-06-01 18:21:10 47916 --a------ C:\WINDOWS\system32\ssqpp.exe 2007-06-01 18:16:11 37411 --a------ C:\WINDOWS\system32\lxbsic.dll 2007-06-01 18:16:03 47916 --a------ C:\WINDOWS\system32\jkkll.exe 2007-06-01 18:11:01 37411 --a------ C:\WINDOWS\system32\dplrls.dll 2007-06-01 18:10:53 47916 --a------ C:\WINDOWS\system32\ssqpo.exe 2007-06-01 17:59:09 37497 --a------ C:\WINDOWS\system32\blasdes.dll 2007-06-01 17:59:02 47857 --a------ C:\WINDOWS\system32\awtqp.exe 2007-06-01 17:21:25 0 d-------- C:\VundoFix Backups 2007-05-30 05:53:36 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-05-29 23:15:23 106579 --a------ C:\WINDOWS\pmlklk.dll 2007-05-29 10:20:59 37510 --a------ C:\WINDOWS\system32\iprkup.dll 2007-05-29 10:20:54 47902 --a------ C:\WINDOWS\system32\gebyv.exe 2007-05-29 10:18:22 12494 --a------ C:\WINDOWS\system32\jkhffcd.dll 2007-05-29 10:15:52 12494 --a------ C:\WINDOWS\system32\mljjjgf.dll 2007-05-22 22:05:44 0 dr-h----- C:\Documents and Settings\Mark L. VanRotz\Recent 2007-05-09 06:14:31 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 -- Find3M Report --------------------------------------------------------------- 2007-06-01 23:23:48 2560 --a------ C:\Documents and Settings\Mark L. VanRotz\Application Data\tmp9E.tmp.exe 2007-06-01 23:23:39 17010 --a------ C:\Documents and Settings\Mark L. VanRotz\Application Data\tmp9C.tmp.exe 2007-06-01 23:23:37 50970 --a------ C:\Documents and Settings\Mark L. VanRotz\Application Data\tmp9B.tmp.exe 2007-06-01 23:16:34 50970 --a------ C:\Documents and Settings\Mark L. VanRotz\Application Data\tmp80.tmp.exe 2007-06-01 17:25:11 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-05-29 23:11:04 0 d-------- C:\Program Files\DeltaFlights 2007-05-29 22:40:05 0 d-------- C:\Program Files\WebIQ 2007-05-29 22:38:00 0 d--h----- C:\Documents and Settings\Mark L. VanRotz\Application Data\Move Networks 2007-05-28 21:39:54 0 d-------- C:\Program Files\Lx_cats 2007-05-20 22:15:47 0 d-------- C:\Program Files\McAfee 2007-05-09 06:19:11 0 d-------- C:\Documents and Settings\Mark L. VanRotz\Application Data\SiteAdvisor 2007-05-07 08:13:37 0 d-------- C:\Program Files\Common Files\AOL 2007-04-15 12:09:24 0 d-------- C:\Program Files\SiteAdvisor 2007-04-10 14:53:37 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-03-05 22:16:06 1901 --a------ C:\WINDOWS\panose.bin -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {089FD14D-132B-48FC-8861-0048AE113215} C:\Program Files\SiteAdvisor\6066\SiteAdv.dll {7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll {d48e3756-0a61-4bd2-af6f-a60b584ed98c} C:\WINDOWS\system32\icfDDC.dll {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} C:\WINDOWS\system32\tmp9B.tmp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime" "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"" "IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\"" "LXBXCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBXtime.dll,_RunDLLEntry@16" "lxbxmon.exe"="\"C:\\Program Files\\Lexmark 7100 Series\\lxbxmon.exe\"" "FaxCenterServer4_in_1"="\"C:\\Program Files\\Lexmark 7100 Series\\fm3032.exe\" /s" "EzPrint"="\"C:\\Program Files\\Lexmark 7100 Series\\ezprint.exe\"" "iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6066\\SiteAdv.exe" "ZoneAlarm Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "setup"="rundll32.exe \"C:\\WINDOWS\\byywus.dll\",realset" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "PopUpStopperFreeEdition"="\"D:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\"" "ATI Scheduler"="D:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE" "ATI Launchpad"="\"D:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\"" "ATI DeviceDetect"="D:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] @="" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\blasdes HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dplrls HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\icfDDC HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iprkup HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lxbsic [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "appinit_dlls"="c:\windows\system32\mljjjgf.dll" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Acrobat Assistant 7.0"="\"D:\\Program Files\\Adobe\\Acrobat\\Distillr\\Acrotray.exe\"" "ISUSPM Startup"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "RoxioDragToDisc"="\"D:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\"" "SM1BG"="C:\\WINDOWS\\SM1BG.EXE" "RecordPadRun"="\"C:\\Program Files\\NCH Swift Sound\\RecordPad\\recordpad.exe\" -logon" "QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "HostManager"="C:\\Program Files\\Common Files\\AOL\\1170699226\\ee\\AOLSoftware.exe" "setup"="rundll32.exe \"C:\\WINDOWS\\pmlklk.dll\",realset" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="D:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] "backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe " "item"="QuickBooks Update Agent" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="launchpd" "hkey"="HKCU" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BCMSMMSG" "hkey"="HKLM" "command"="BCMSMMSG.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Money Express" "hkey"="HKCU" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\websx] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="int280817" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Winampa" "hkey"="HKLM" "command"="\"d:\\Program Files\\Winamp\\Winampa.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-06-02 at 00:02:27 --------- |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-06-2007, 09:33 PM
|
#3 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
06-07-2007, 05:03 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Re: Pop ups, software loading, New Malware.aj
Thank you. Unfortunately, I just left town till saturday night. I will do this when I return home.
When asking for a "HijackThis log" are you asking for a DSS log? |
|
|
|
|
06-07-2007, 08:08 AM
|
#5 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
Hi -
No, I just want you to run HijackThis.exe this time, save it's log, and post that. DSS should have placed a shortcut to HijackThis.exe on your desktop. The executable should be located here, if you don't have the shortcut: C:\Program Files\HijackThis
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
06-09-2007, 08:47 PM
|
#6 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Re: Pop ups, software loading, New Malware.aj
Files below, as requested:
In addition, I've gotten some mcafee warnings about "vundo.dll" as well as warnings about those tmp files in my c:\Documents and Settings\"user name"\Application Data folder, calling them "Trojan.Agent.agv" Thanks. ComboFix 07-06-09.5 - C:\Documents and Settings\Mark L. VanRotz\Desktop\ComboFix.exe "Mark L. VanRotz" - 2007-06-09 22:26:32 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\byywus.dll C:\WINDOWS\suwyyb.ini C:\WINDOWS\system32\icfDDC.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\install.log C:\WINDOWS\DOWNLO~1.\Temp C:\WINDOWS\system32\tmp182.tmp.dll C:\WINDOWS\system32\tmp199.tmp.dll C:\WINDOWS\system32\tmp79.tmp.dll C:\WINDOWS\system32\tmp80.tmp.dll C:\WINDOWS\system32\tmp90.tmp.dll C:\WINDOWS\system32\tmp9B.tmp.dll ((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 ))))))))))))))))))))))))))))))) 2007-06-09 22:25 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-04 06:10 17,010 --a------ C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp7A.tmp.exe 2007-06-04 06:09 50,970 --a------ C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp79.tmp.exe 2007-06-02 08:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sophos 2007-06-02 08:05 <DIR> d-------- C:\savxpsa 2007-06-01 23:53 <DIR> d-------- C:\Deckard 2007-06-01 23:33 <DIR> d-------- C:\ie-spyad 2007-06-01 23:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 18:21 47,916 --a------ C:\WINDOWS\system32\ssqpp.exe 2007-06-01 18:16 47,916 --a------ C:\WINDOWS\system32\jkkll.exe 2007-06-01 18:16 37,411 --a------ C:\WINDOWS\system32\lxbsic.dll 2007-06-01 18:11 37,411 --a------ C:\WINDOWS\system32\dplrls.dll 2007-06-01 18:10 47,916 --a------ C:\WINDOWS\system32\ssqpo.exe 2007-06-01 17:59 47,857 --a------ C:\WINDOWS\system32\awtqp.exe 2007-06-01 17:59 37,497 --a------ C:\WINDOWS\system32\blasdes.dll 2007-06-01 17:21 <DIR> d-------- C:\VundoFix Backups 2007-05-30 05:53 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-05-30 05:26 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-29 10:20 47,902 --a------ C:\WINDOWS\system32\gebyv.exe 2007-05-29 10:20 37,510 --a------ C:\WINDOWS\system32\iprkup.dll 2007-05-29 10:18 12,494 --a------ C:\WINDOWS\system32\jkhffcd.dll 2007-05-29 10:15 12,494 --a------ C:\WINDOWS\system32\mljjjgf.dll 2007-05-09 06:14 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-04 00:39:03 -------- d-----w C:\Program Files\DeltaFlights 2007-06-03 23:45:38 -------- d-----w C:\Program Files\Lx_cats 2007-06-01 21:25:11 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-30 02:40:05 -------- d-----w C:\Program Files\WebIQ 2007-05-30 02:38:00 -------- d--h--w C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\Move Networks 2007-05-21 02:15:47 -------- d-----w C:\Program Files\McAfee 2007-05-09 10:19:11 -------- d-----w C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\SiteAdvisor 2007-05-07 12:13:37 -------- d-----w C:\Program Files\Common Files\AOL 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-15 16:09:24 -------- d-----w C:\Program Files\SiteAdvisor 2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll 2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys 2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys 2007-04-10 18:53:37 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 11:41] {277c8284-3853-449b-99ec-c3bea19effe3}=C:\WINDOWS\system32\ciadqic.dll [2007-06-09 22:33] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll [2006-12-22 16:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 08:15] "!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-09-29 11:37] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 05:24] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21] "lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 05:43] "FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53] "EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 09:24] "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-01-17 15:24] "ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpStopperFreeEdition"="D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 10:40] "ATI Scheduler"="D:\Program Files\ATI Multimedia\main\ATISched.EXE" [2006-10-31 22:25] "ATI Launchpad"="D:\Program Files\ATI Multimedia\main\launchpd.exe" [2006-10-31 22:27] "ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "<NO NAME>"= "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\blasdes] blasdes.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ciadqic] ciadqic.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dplrls] dplrls.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iprkup] iprkup.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lxbsic] lxbsic.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=c:\windows\system32\mljjjgf.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\websx] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "d:\Program Files\Winamp\Winampa.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe" "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start "RoxioDragToDisc"="D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" "SM1BG"=C:\WINDOWS\SM1BG.EXE "RecordPadRun"="C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" -atboottime "HostManager"=C:\Program Files\Common Files\AOL\1170699226\ee\AOLSoftware.exe HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the 'Scheduled Tasks' folder 2007-05-25 02:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-03-15 05:01:04 C:\WINDOWS\tasks\McDefragTask.job 2007-03-01 06:03:44 C:\WINDOWS\tasks\McQcTask.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-09 22:31:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-09 22:35:46 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-09 22:35 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 10:46:06 PM, on 6/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\wanmpsvc.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Lexmark 7100 Series\lxbxmon.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Lexmark 7100 Series\ezprint.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe D:\Program Files\Palm\HOTSYNC.EXE C:\WINDOWS\system32\lxbxcoms.exe D:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\explorer.exe C:\Program Files\HijackThis\HijackThis.exe C:\WINDOWS\system32\taskmgr.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/My%20Documents/WebPage/Firehawk/index2.htm O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: (no name) - {277c8284-3853-449b-99ec-c3bea19effe3} - C:\WINDOWS\system32\ciadqic.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [ATI Scheduler] D:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - Startup: HOTSYNC.lnk = D:\Program Files\Palm\HOTSYNC.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\ciadqic.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab O16 - DPF: {F5932B1A-DC5A-4408-956D-B1CAD89F2ACC} - https://www.gleim.com/data/tp4/webdeploy/webinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7744BCD8-D8E6-467F-B3BE-F8A7ED7CE765}: NameServer = 192.168.1.1 O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O20 - AppInit_DLLs: c:\windows\system32\mljjjgf.dll O20 - Winlogon Notify: blasdes - C:\WINDOWS\SYSTEM32\blasdes.dll O20 - Winlogon Notify: ciadqic - C:\WINDOWS\SYSTEM32\ciadqic.dll O20 - Winlogon Notify: dplrls - C:\WINDOWS\SYSTEM32\dplrls.dll O20 - Winlogon Notify: iprkup - C:\WINDOWS\SYSTEM32\iprkup.dll O20 - Winlogon Notify: lxbsic - C:\WINDOWS\SYSTEM32\lxbsic.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Last edited by Rotzy; 06-09-2007 at 08:48 PM. |
|
|
|
|
06-09-2007, 10:26 PM
|
#7 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
--------------------------------------------
Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Also post a new HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 01-12-2008 at 02:33 PM. Reason: removed SFP instructions to prevent drive-by uploads to sUBs |
|
|
|
|
|
06-10-2007, 04:38 AM
|
#8 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Re: Pop ups, software loading, New Malware.aj
The file has been submitted.
I had to run combofix twice. The first time it did not continue after the reboot. The second run was fine. ComboFix 07-06-09.5 - C:\Documents and Settings\Mark L. VanRotz\Desktop\ComboFix.exe "Mark L. VanRotz" - 2007-06-10 6:28:50 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Mark L. VanRotz\Desktop\ComboFix-Do.txt (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ciadqic.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\blasdes.dll C:\WINDOWS\SYSTEM32\ciadqic.dll C:\WINDOWS\system32\dplrls.dll C:\WINDOWS\system32\iprkup.dll C:\WINDOWS\system32\lxbsic.dll ((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 ))))))))))))))))))))))))))))))) 2007-06-09 22:33 47,899 --a------ C:\WINDOWS\system32\ddayy.exe 2007-06-09 22:25 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-02 08:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sophos 2007-06-02 08:05 <DIR> d-------- C:\savxpsa 2007-06-01 23:53 <DIR> d-------- C:\Deckard 2007-06-01 23:33 <DIR> d-------- C:\ie-spyad 2007-06-01 23:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 17:21 <DIR> d-------- C:\VundoFix Backups 2007-05-30 05:53 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-05-30 05:26 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-04 00:39:03 -------- d-----w C:\Program Files\DeltaFlights 2007-06-03 23:45:38 -------- d-----w C:\Program Files\Lx_cats 2007-06-01 21:25:11 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-30 02:40:05 -------- d-----w C:\Program Files\WebIQ 2007-05-30 02:38:00 -------- d--h--w C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\Move Networks 2007-05-21 02:15:47 -------- d-----w C:\Program Files\McAfee 2007-05-09 10:19:11 -------- d-----w C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\SiteAdvisor 2007-05-09 10:14:31 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-05-07 12:13:37 -------- d-----w C:\Program Files\Common Files\AOL 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-15 16:09:24 -------- d-----w C:\Program Files\SiteAdvisor 2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll 2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys 2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys 2007-04-10 18:53:37 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 11:41] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll [2006-12-22 16:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 08:15] "!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-09-29 11:37] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 05:24] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21] "lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 05:43] "FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53] "EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 09:24] "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-01-17 15:24] "ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpStopperFreeEdition"="D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 10:40] "ATI Scheduler"="D:\Program Files\ATI Multimedia\main\ATISched.EXE" [2006-10-31 22:25] "ATI Launchpad"="D:\Program Files\ATI Multimedia\main\launchpd.exe" [2006-10-31 22:27] "ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "<NO NAME>"= "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\websx] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "d:\Program Files\Winamp\Winampa.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe" "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start "RoxioDragToDisc"="D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" "SM1BG"=C:\WINDOWS\SM1BG.EXE "RecordPadRun"="C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" -atboottime "HostManager"=C:\Program Files\Common Files\AOL\1170699226\ee\AOLSoftware.exe HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the 'Scheduled Tasks' folder 2007-05-25 02:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-03-15 05:01:04 C:\WINDOWS\tasks\McDefragTask.job 2007-03-01 06:03:44 C:\WINDOWS\tasks\McQcTask.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-10 06:33:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-10 6:36:27 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-10 06:36 C:\ComboFix2.txt ... 2007-06-09 22:35 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 6:38:52 AM, on 6/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\wuauclt.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Lexmark 7100 Series\lxbxmon.exe C:\Program Files\Lexmark 7100 Series\ezprint.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINDOWS\system32\lxbxcoms.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe D:\Program Files\Palm\HOTSYNC.EXE D:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/My%20Documents/WebPage/Firehawk/index2.htm O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [ATI Scheduler] D:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - Startup: HOTSYNC.lnk = D:\Program Files\Palm\HOTSYNC.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab O16 - DPF: {F5932B1A-DC5A-4408-956D-B1CAD89F2ACC} - https://www.gleim.com/data/tp4/webdeploy/webinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7744BCD8-D8E6-467F-B3BE-F8A7ED7CE765}: NameServer = 192.168.1.1 O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
|
|
|
06-10-2007, 09:06 AM
|
#9 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
Hello, Rotzy -
Thanks for the submission. A few of the files refused to be packed (likely in use), but ComboFix removed them. We can now grab them from ComboFix quarantine folder using the same method. First, though, I'd like to use ComboFix once more to kill and quarantine another vundo type file, so we can have a sample of that as well. Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Run SFP once again Paste the following list of bad files into the Suspicious File Packer window: C:\QooBox\Quarantine\C\WINDOWS\system32\blasdes.dll.virAllow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. -------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- Also post a new HijackThis log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
06-10-2007, 10:20 AM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
Hi Rotzy -
In addition, can you please post the contents of this log: C:\ComboFix-quarantined-files.txt
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
06-10-2007, 02:43 PM
|
#11 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Re: Pop ups, software loading, New Malware.aj
The file has been submitted.
Sorry for the delay. The virus scan took quite some time. ComboFix 07-06-09.5 - C:\Documents and Settings\Mark L. VanRotz\Desktop\ComboFix.exe "Mark L. VanRotz" - 2007-06-10 11:51:28 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Mark L. VanRotz\Desktop\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ddayy.exe ((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 ))))))))))))))))))))))))))))))) 2007-06-09 22:25 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-02 08:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sophos 2007-06-01 23:53 <DIR> d-------- C:\Deckard 2007-06-01 23:33 <DIR> d-------- C:\ie-spyad 2007-06-01 23:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 17:21 <DIR> d-------- C:\VundoFix Backups 2007-05-30 05:53 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-05-30 05:26 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-10 15:50:17 -------- d-----w C:\Program Files\Common Files\AOL 2007-06-10 15:47:45 -------- d-----w C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\AOL 2007-06-04 00:39:03 -------- d-----w C:\Program Files\DeltaFlights 2007-06-03 23:45:38 -------- d-----w C:\Program Files\Lx_cats 2007-06-01 21:25:11 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-30 02:40:05 -------- d-----w C:\Program Files\WebIQ 2007-05-30 02:38:00 -------- d--h--w C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\Move Networks 2007-05-21 02:15:47 -------- d-----w C:\Program Files\McAfee 2007-05-09 10:19:11 -------- d-----w C:\DOCUME~1\MARKL~1.VAN\APPLIC~1\SiteAdvisor 2007-05-09 10:14:31 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-18 06:49:03 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll 2007-04-18 06:49:03 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll 2007-04-15 16:09:24 -------- d-----w C:\Program Files\SiteAdvisor 2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys 2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys 2007-04-10 18:53:37 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 11:41] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll [2006-12-22 16:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 08:15] "!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-09-29 11:37] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 05:24] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21] "lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 05:43] "FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53] "EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 09:24] "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-01-17 15:24] "ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpStopperFreeEdition"="D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 10:40] "ATI Scheduler"="D:\Program Files\ATI Multimedia\main\ATISched.EXE" [2006-10-31 22:25] "ATI Launchpad"="D:\Program Files\ATI Multimedia\main\launchpd.exe" [2006-10-31 22:27] "ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "AOLRebootNeeded"=regsvr32.exe /s [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "<NO NAME>"= "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\websx] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "d:\Program Files\Winamp\Winampa.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "AOL Fast Start"="D:\Program Files\America Online\AOL.EXE" -b [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe" "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start "RoxioDragToDisc"="D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" "SM1BG"=C:\WINDOWS\SM1BG.EXE "RecordPadRun"="C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" -atboottime "HostManager"=C:\Program Files\Common Files\AOL\1170699226\ee\AOLSoftware.exe "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the 'Scheduled Tasks' folder 2007-05-25 02:50:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-03-15 05:01:04 C:\WINDOWS\tasks\McDefragTask.job 2007-03-01 06:03:44 C:\WINDOWS\tasks\McQcTask.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-10 11:52:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-10 11:58:56 C:\ComboFix-quarantined-files.txt ... 2007-06-10 11:58 C:\ComboFix2.txt ... 2007-06-10 06:36 C:\ComboFix3.txt ... 2007-06-09 22:35 --- E O F --- Code:
2003-10-02 21:40 234 --a------ C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-05-29 10:15 12494 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mljjjgf.dll.vir
2007-05-29 10:18 12494 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkhffcd.dll.vir
2007-05-29 10:20 47902 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gebyv.exe.vir
2007-05-29 10:47 39182 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp199.tmp.dll.vir
2007-05-29 15:49 39146 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp90.tmp.dll.vir
2007-06-01 17:59 47857 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\awtqp.exe.vir
2007-06-01 18:10 47916 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqpo.exe.vir
2007-06-01 18:16 47916 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkll.exe.vir
2007-06-01 18:21 37411 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\icfDDC.dll.vir
2007-06-01 18:21 47916 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqpp.exe.vir
2007-06-01 23:16 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp80.tmp.dll.vir
2007-06-01 23:23 106623 --a------ C:\Qoobox\Quarantine\C\WINDOWS\byywus.dll.vir
2007-06-01 23:23 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp9B.tmp.dll.vir
2007-06-02 07:26 1101166 --a------ C:\Qoobox\Quarantine\C\WINDOWS\suwyyb.ini.vir
2007-06-02 07:57 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp182.tmp.dll.vir
2007-06-04 06:09 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp79.tmp.dll.vir
2007-06-04 06:09 50970 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp79.tmp.exe.vir
2007-06-04 06:10 17010 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp7A.tmp.exe.vir
2007-06-09 22:33 37437 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ciadqic.dll.vir
2007-06-09 22:33 47899 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddayy.exe.vir
2007-06-10 06:21 178184 --a------ C:\Qoobox\Quarantine\catchme2007-06-10_ 63322.25.zip
2007-06-10 06:31 1452 --a------ C:\Qoobox\Quarantine\catchme.log
Folder PATH listing for volume Root
Volume serial number is 5431-1FA6
C:\QOOBOX
\---Quarantine
| catchme.log
| catchme2007-06-10_ 63322.25.zip
|
+---C
| +---Avenger
| +---DOCUME~1
| | \---MARKL~1.VAN
| | \---APPLIC~1
| | tmp79.tmp.exe.vir
| | tmp7A.tmp.exe.vir
| |
| +---Program Files
| | INSTALL.LOG.vir
| |
| \---WINDOWS
| | byywus.dll.vir
| | suwyyb.ini.vir
| |
| \---system32
| awtqp.exe.vir
| ciadqic.dll.vir
| ddayy.exe.vir
| gebyv.exe.vir
| icfDDC.dll.vir
| jkhffcd.dll.vir
| jkkll.exe.vir
| mljjjgf.dll.vir
| ssqpo.exe.vir
| ssqpp.exe.vir
| tmp182.tmp.dll.vir
| tmp199.tmp.dll.vir
| tmp79.tmp.dll.vir
| tmp80.tmp.dll.vir
| tmp90.tmp.dll.vir
| tmp9B.tmp.dll.vir
|
\---Registry_backups
Code:
2003-10-02 21:40 234 --a------ C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-05-29 10:15 12494 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mljjjgf.dll.vir
2007-05-29 10:18 12494 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkhffcd.dll.vir
2007-05-29 10:20 47902 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gebyv.exe.vir
2007-05-29 10:47 39182 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp199.tmp.dll.vir
2007-05-29 15:49 39146 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp90.tmp.dll.vir
2007-06-01 17:59 47857 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\awtqp.exe.vir
2007-06-01 18:10 47916 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqpo.exe.vir
2007-06-01 18:16 47916 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkll.exe.vir
2007-06-01 18:21 37411 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\icfDDC.dll.vir
2007-06-01 18:21 47916 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqpp.exe.vir
2007-06-01 23:16 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp80.tmp.dll.vir
2007-06-01 23:23 106623 --a------ C:\Qoobox\Quarantine\C\WINDOWS\byywus.dll.vir
2007-06-01 23:23 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp9B.tmp.dll.vir
2007-06-02 07:26 1101166 --a------ C:\Qoobox\Quarantine\C\WINDOWS\suwyyb.ini.vir
2007-06-02 07:57 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp182.tmp.dll.vir
2007-06-04 06:09 39124 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp79.tmp.dll.vir
2007-06-04 06:09 50970 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp79.tmp.exe.vir
2007-06-04 06:10 17010 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp7A.tmp.exe.vir
2007-06-09 22:33 37437 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ciadqic.dll.vir
2007-06-09 22:33 47899 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddayy.exe.vir
2007-06-10 06:21 178184 --a------ C:\Qoobox\Quarantine\catchme2007-06-10_ 63322.25.zip
2007-06-10 06:31 1452 --a------ C:\Qoobox\Quarantine\catchme.log
Folder PATH listing for volume Root
Volume serial number is 5431-1FA6
C:\QOOBOX
\---Quarantine
| catchme.log
| catchme2007-06-10_ 63322.25.zip
|
+---C
| +---Avenger
| +---DOCUME~1
| | \---MARKL~1.VAN
| | \---APPLIC~1
| | tmp79.tmp.exe.vir
| | tmp7A.tmp.exe.vir
| |
| +---Program Files
| | INSTALL.LOG.vir
| |
| \---WINDOWS
| | byywus.dll.vir
| | suwyyb.ini.vir
| |
| \---system32
| awtqp.exe.vir
| ciadqic.dll.vir
| ddayy.exe.vir
| gebyv.exe.vir
| icfDDC.dll.vir
| jkhffcd.dll.vir
| jkkll.exe.vir
| mljjjgf.dll.vir
| ssqpo.exe.vir
| ssqpp.exe.vir
| tmp182.tmp.dll.vir
| tmp199.tmp.dll.vir
| tmp79.tmp.dll.vir
| tmp80.tmp.dll.vir
| tmp90.tmp.dll.vir
| tmp9B.tmp.dll.vir
|
\---Registry_backups
------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, June 10, 2007 4:38:41 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 10/06/2007 Kaspersky Anti-Virus database records: 342024 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - Folders: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 73926 Number of viruses found: 3 Number of infected objects: 7 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:37:07 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A89DA890-09B1-4EC8-9F0A-16D8C102B6E7}.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Desktop\requested-files[2007-06-10_06_06].cab/C:/Documents and Settings/Mark L. VanRotz/Application Data/tmp7A.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped C:\Documents and Settings\Mark L. VanRotz\Desktop\requested-files[2007-06-10_06_06].cab/C:/Documents and Settings/Mark L. VanRotz/Application Data/tmp79.tmp.exe Infected: Trojan.Win32.BHO.g skipped C:\Documents and Settings\Mark L. VanRotz\Desktop\requested-files[2007-06-10_06_06].cab CAB: infected - 2 skipped C:\Documents and Settings\Mark L. VanRotz\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Local Settings\Temp\Perflib_Perfdata_c8.dat Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Mark L. VanRotz\UserData\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp79.tmp.exe.vir Infected: Trojan.Win32.BHO.g skipped C:\QooBox\Quarantine\C\DOCUME~1\MARKL~1.VAN\APPLIC~1\tmp7A.tmp.exe.vir Infected: Trojan-Downloader.Win32.Agent.bjk skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{695888B7-50BC-4C6B-A8D8-FC3A8193CF85}\RP1475\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\ROTZY.ldb Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{D88ACDAB-6526-41DF-A280-55566B5B6E4E}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\mcmsc_3gFQt6W99AKXb5Q Object is locked skipped C:\WINDOWS\Temp\mcmsc_F1ICUM6v4vAoTvT Object is locked skipped C:\WINDOWS\Temp\mcmsc_njqhiJNxb9GTEWt Object is locked skipped C:\WINDOWS\Temp\mcmsc_WGTxNoUgAxl0N3l Object is locked skipped C:\WINDOWS\Temp\ZLT03b6b.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT03b6f.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{695888B7-50BC-4C6B-A8D8-FC3A8193CF85}\RP1475\change.log Object is locked skipped E:\My Documents\Download\Get Right\GetRight42.exe/WISE0032.BIN Infected: not-a-virus:AdWare.Win32.TimeSinc skipped E:\My Documents\Download\Get Right\GetRight42.exe WiseSFX: infected - 1 skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 4:39:51 PM, on 6/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Lexmark 7100 Series\lxbxmon.exe C:\Program Files\Lexmark 7100 Series\ezprint.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe c:\program files\common files\mcafee\mna\mcnasvc.exe D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Program Files\Palm\HOTSYNC.EXE C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\lxbxcoms.exe D:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/My%20Documents/WebPage/Firehawk/index2.htm O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [ATI Scheduler] D:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - Startup: HOTSYNC.lnk = D:\Program Files\Palm\HOTSYNC.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab O16 - DPF: {F5932B1A-DC5A-4408-956D-B1CAD89F2ACC} - https://www.gleim.com/data/tp4/webdeploy/webinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7744BCD8-D8E6-467F-B3BE-F8A7ED7CE765}: NameServer = 192.168.1.1 O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
|
|
|
|
06-10-2007, 03:48 PM
|
#12 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
Hi Rotzy -
Thank you for the uploads. By helping us, you're helping other users across the globe. If I might impose upon you once more..... Run SFP once again Paste the following list of bad files into the Suspicious File Packer window: C:\Qoobox\Quarantine\catchme2007-06-10_ 63322.25.zipAllow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. I will have more instructions for you after receiving those files.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
06-10-2007, 06:12 PM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
Thanks again, Rotzy -
Ok, let's see if we can finish this up.... Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) Close HijackThis now. --------------------------------------------------------------------------------------------- Delete the following. If they resist, boot to safe mode and delete from there: C:\Documents and Settings\Mark L. VanRotz\Desktop\requested-files[2007-06-10_06_06].cab C:\Documents and Settings\Mark L. VanRotz\Desktop\requested-files[2007-06-10_06_06].cab (and the most recent .cab file created by SFP) C:\QooBox C:\Avenger This file is found to be adware infected, though Get Right is a known download manager. E:\My Documents\Download\Get Right\GetRight42.exe Let's scan it at VirusTotal, and see what some other vendors think. Please go to: VirusTotal
--------------------------------------------------------------------------------------------- I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix. Run AVG Anti-Spyware
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
--------------------------------------------------------------------------------------------- Run Deckard's System Scanner once again, and post it's log (main.txt) --------------------------------------------------------------------------------------------- Please return with results from: VirusTotal AVG Anti-Spyware DSS (main.txt)
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
06-10-2007, 07:28 PM
|
#15 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Re: Pop ups, software loading, New Malware.aj
Just as an additional bit of info: The only symptom I seem to currently be having, is a random attempt to install Roxio EZ Media Creator 7 (it's already installed and has been for quite some time now). It frequently tries to run when I double click on something else.
STATUS: SCANNINGFile "GetRight42.exe_" received on 06.11.2007 at 02:42:32 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated. Antivirus Version Update Result AhnLab-V3 2007.6.9.0 06.08.2007 no virus found AntiVir 7.4.0.32 06.09.2007 no virus found Authentium 4.93.8 05.23.2007 no virus found Avast 4.7.997.0 06.09.2007 Win32:Spyware-gen. AVG 7.5.0.467 06.10.2007 no virus found BitDefender 7.2 06.11.2007 Adware.TSAdvert.A CAT-QuickHeal 9.00 06.09.2007 no virus found ClamAV devel-20070416 06.10.2007 no virus found DrWeb 4.33 06.10.2007 no virus found Aditional Information File size: 3209110 bytes MD5: c83d22b292aad931f78266e08b167616 SHA1: d63fdba7c28d4d5d7d3903dc6104846f797ab560 packers: BINARYRES, BINARYRES, BINARYRES VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 9:25:44 PM 6/10/2007 + Scan result: Nothing found. ::Report end Deckard's System Scanner v20070426.43 Run by Mark L. VanRotz on 2007-06-10 at 21:28:04 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Mark L. VanRotz.exe) ------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 9:28:57 PM, on 6/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Lexmark 7100 Series\lxbxmon.exe C:\Program Files\Lexmark 7100 Series\ezprint.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe c:\program files\common files\mcafee\mna\mcnasvc.exe D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Program Files\Palm\HOTSYNC.EXE C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\lxbxcoms.exe D:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\explorer.exe D:\Program Files\Microsoft Money\MNYCoreFiles\mnybbsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\MARKL~1.VAN\Desktop\dss.exe C:\WINDOWS\system32\msiexec.exe C:\PROGRA~1\HIJACK~1\MARKLV~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/My%20Documents/WebPage/Firehawk/index2.htm O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [ATI Scheduler] D:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - Startup: HOTSYNC.lnk = D:\Program Files\Palm\HOTSYNC.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab O16 - DPF: {F5932B1A-DC5A-4408-956D-B1CAD89F2ACC} - https://www.gleim.com/data/tp4/webdeploy/webinstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7744BCD8-D8E6-467F-B3BE-F8A7ED7CE765}: NameServer = 192.168.1.1 O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- Files created between 2007-05-10 and 2007-06-10 ----------------------------- 2007-06-10 12:03:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-06-10 12:03:21 0 d-------- C:\WINDOWS\LastGood 2007-06-10 09:50:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Macromedia 2007-06-10 09:25:34 0 d-------- C:\WINDOWS\Sun 2007-06-10 09:25:34 0 d-------- C:\Documents and Settings\Mark L. VanRotz\Application Data\Sun 2007-06-10 09:24:01 0 d-------- C:\Program Files\Common Files\Java 2007-06-02 08:07:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Sophos 2007-06-01 23:33:41 0 d-------- C:\ie-spyad 2007-06-01 23:10:49 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 17:21:25 0 d-------- C:\VundoFix Backups 2007-05-30 05:53:36 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-05-22 22:05:44 0 dr-h----- C:\Documents and Settings\Mark L. VanRotz\Recent -- Find3M Report --------------------------------------------------------------- 2007-06-10 11:50:17 0 d-------- C:\Program Files\Common Files\AOL 2007-06-10 11:47:45 0 d-------- C:\Documents and Settings\Mark L. VanRotz\Application Data\AOL 2007-06-03 20:39:03 0 d-------- C:\Program Files\DeltaFlights 2007-06-03 19:45:38 0 d-------- C:\Program Files\Lx_cats 2007-06-01 17:25:11 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-05-29 22:40:05 0 d-------- C:\Program Files\WebIQ 2007-05-29 22:38:00 0 d--h----- C:\Documents and Settings\Mark L. VanRotz\Application Data\Move Networks 2007-05-20 22:15:47 0 d-------- C:\Program Files\McAfee 2007-05-09 06:19:11 0 d-------- C:\Documents and Settings\Mark L. VanRotz\Application Data\SiteAdvisor 2007-05-09 06:14:31 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-04-15 12:09:24 0 d-------- C:\Program Files\SiteAdvisor 2007-04-10 14:53:37 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {089FD14D-132B-48FC-8861-0048AE113215} C:\Program Files\SiteAdvisor\6066\SiteAdv.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll {7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime" "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"" "IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\"" "lxbxmon.exe"="\"C:\\Program Files\\Lexmark 7100 Series\\lxbxmon.exe\"" "FaxCenterServer4_in_1"="\"C:\\Program Files\\Lexmark 7100 Series\\fm3032.exe\" /s" "EzPrint"="\"C:\\Program Files\\Lexmark 7100 Series\\ezprint.exe\"" "iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6066\\SiteAdv.exe" "ZoneAlarm Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "PopUpStopperFreeEdition"="\"D:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\"" "ATI Scheduler"="D:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE" "ATI Launchpad"="\"D:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\"" "ATI DeviceDetect"="D:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "AOLRebootNeeded"="regsvr32.exe /s" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] @="" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "AOL Fast Start"="\"D:\\Program Files\\America Online\\AOL.EXE\" -b" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Acrobat Assistant 7.0"="\"D:\\Program Files\\Adobe\\Acrobat\\Distillr\\Acrotray.exe\"" "ISUSPM Startup"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "RoxioDragToDisc"="\"D:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\"" "SM1BG"="C:\\WINDOWS\\SM1BG.EXE" "RecordPadRun"="\"C:\\Program Files\\NCH Swift Sound\\RecordPad\\recordpad.exe\" -logon" "QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "HostManager"="C:\\Program Files\\Common Files\\AOL\\1170699226\\ee\\AOLSoftware.exe" "SunJavaUpdateSched"="\"D:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="D:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] "backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe " "item"="QuickBooks Update Agent" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="launchpd" "hkey"="HKCU" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BCMSMMSG" "hkey"="HKLM" "command"="BCMSMMSG.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Money Express" "hkey"="HKCU" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\websx] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="int280817" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Winampa" "hkey"="HKLM" "command"="\"d:\\Program Files\\Winamp\\Winampa.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-06-10 at 21:29:28 --------- |
|
|
|
|
06-10-2007, 08:13 PM
|
#16 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
I'd delete this file:
E:\My Documents\Download\Get Right\GetRight42.exe though it might cause Get right to not function if it's still installed. What's your E drive? --------------------- Quote:
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
06-10-2007, 08:23 PM
|
#17 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Re: Pop ups, software loading, New Malware.aj
I'll delete it.
c = operating system d = programs e = files It looks as if it's trying to install napster when the roxio window comes up (it's quite repetative). It goes through the preliminary install startup, then asks for the cd so that it may install napster. I select cancel, and the process starts all over again. So that's it. My system should be "clean" by now?  Thanks! |
|
|
|
|
06-10-2007, 08:26 PM
|
#18 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
Have you ever had Napster installed? Have you tried placing the installation media in the machine when the message comes up? Do you use Roxio?
Can you capture the error message via screenshot? Other than this annoyance, your logs indeed appear clean. I'll have some final instructions for you once we've tried to solve that last issue.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
06-10-2007, 08:43 PM
|
#19 (permalink) |
|
Registered User
Join Date: Jun 2007
Posts: 23
OS: Win XP Pro
|
Re: Pop ups, software loading, New Malware.aj
I have uploaded a screen capture. I cannot seem to find my Roxio installation CD. I only use it rarely, and won't mind removing it if you think that will help (I'm sure I'll find the cd sooner or later). Don't think I've ever installed napster.
Last edited by Rotzy; 06-10-2007 at 08:51 PM. |
|
|
|
|
06-10-2007, 08:57 PM
|
#20 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home
|
Re: Pop ups, software loading, New Malware.aj
From that image, I'd say you have a couple of options....
1, give it the disk, and click Yes as it seems to be asking for it. 2, uninstall, and hope that resolves the message issue 3, keep canceling  I'll post my final cleanup instructions, and keep this thread open while you try to resolve that issue. Well done. Your logs appear clean.You should be good to go. We still have a few items to address. Make sure your antivirus program is up to date, and run a full system scan. Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while. Reset hidden/system files and folders
Clear & Reset System Restore's Cache
Enable Windows Auto Update
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
