Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page HijackThis Thread
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-07-2007, 01:57 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


HijackThis Thread
Hi,

I am serious malware and spyware problems and need help identifying what files needing fixing. Here is the logfile from hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:12 PM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\retadpu72.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\YSTEM3~1\fast.exe
C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\VXNlcg\command.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\winntify.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ISM\ISMModule.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\o075tmrp.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {403D4EFF-A96E-8590-1A12-8C8DBD20D5EE} - C:\WINDOWS\system32\dxhe.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\d3acdb.dll (file missing)
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: H - {B3056695-CE91-404e-BD3B-62A4A3E6ADFD} - w1m.dll (file missing)
O2 - BHO: H - {D11FCCFD-479A-417a-9633-CBDD600E2C6C} - C:\WINDOWS\system32\geyrr.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DA197C7734672DE3F546CAC59B6
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Irdr] "C:\PROGRA~1\YSTEM3~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Fvfmsyvt] "C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...oft/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}: NameServer = 194.54.90.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFE1CED-9749-4838-91AD-47CCA52C5D74}: NameServer = 194.54.90.238
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}: NameServer = 194.54.90.238
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\d3acdb.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9858 bytes


Any help is greatly appreciated.

Thanks,

Reggie
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 10-13-2007, 09:23 PM   #2 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
Hi and welcome to TSF.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**
  • Go to -> Run -> paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

DO NOT run SDFix yet. We will shortly

--------------------------------------------------------------

Enter Safe Mode
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
  3. Instead of Windows loading as normal, a menu should appear
  4. Use the up arrow key to highlight Safe Mode and press Enter.
  5. Login with your usual account
  6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

--------------------------------------------------------------

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Paste the contents of the Report.txt back on the forum

--------------------------------------------------------------

Restart your computer in Normal Mode

--------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

--------------------------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
C:\SDFix\report.txt
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-20-2007, 07:51 PM   #3 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


Re: HijackThis Thread
Thank you so much for the help. Here are the log information you requested:

Combofix Log:

"User" - 2007-10-20 18:56:00 - ComboFix 07-07-17.8 - Service Pack 2 FAT32
Command switches used :: /killall


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\User\APPLIC~1.\scurit~1
C:\DOCUME~1\User\APPLIC~1.\sstem~1
C:\DOCUME~1\User\MYDOCU~1.\icroso~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sks~1\n?lookup.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\sstem~1
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\Program Files\ystem3~1
C:\Program Files\ystem3~1\fast.exe
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\m?config.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wnsapiisv32.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\VXNlcg\asappsrv.dll
C:\WINDOWS\VXNlcg\command.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))


2007-10-20 19:04 <DIR> d--hs---- C:\FOUND.014
2007-10-20 18:53 60,928 --a------ C:\WINDOWS\SYSTEM32\bvdnsbm.dll
2007-10-20 18:53 <DIR> d-------- C:\Program Files\ISM2
2007-10-17 11:43 35,840 -ra------ C:\WINDOWS\tsitra72.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 02:03:14 -------- d-----w C:\Program Files\Common Files\?ppPatch
2007-07-31 02:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-22 20:54:58 1,099,570 ----a-w C:\WINDOWS\system32\dn224c1e06.dat
2007-07-22 20:12:26 97,312 ----a-w C:\bmgenkji3.exe
2007-07-22 20:12:22 100,920 ----a-w C:\bmgenkji2.exe
2007-07-22 20:11:42 99,848 ----a-w C:\bmgenkji1.exe
2007-07-22 20:10:38 544,768 ----a-w C:\WINDOWS\ytfse.exe
2001-07-15 04:16:22 266 --sh--w C:\Program Files\desktop.ini
2001-07-15 04:16:22 11,079 ---h--w C:\Program Files\folder.htt
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\VXNlcg\prh5w0.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
C:\WINDOWS\system32\d3acdb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
2007-10-15 13:42 192512 --a------ C:\Program Files\ISM\BndDrive7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
2007-07-11 13:02 192512 --a------ C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3056695-CE91-404e-BD3B-62A4A3E6ADFD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED3F50-D194-FE61-BB28-FF8A32F52EB9}]
2007-10-18 07:22 60928 --a------ C:\WINDOWS\system32\bvdnsbm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D11FCCFD-479A-417a-9633-CBDD600E2C6C}]
2007-07-12 03:19 18944 --a------ C:\WINDOWS\system32\geyrr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 11:10]
"AtiPTA"="atiptaxx.exe" [2001-09-15 01:15 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"WT GameChannel"="C:\Program Files\WildTangent\Apps\GameChannel.exe" [2002-12-03 17:24]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-09-18 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [2003-02-22 15:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-08 18:58]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 23:07]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 05:05]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 06:36]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-12 20:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2003-02-22 15:42]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 06:04]
"Irdr"="C:\PROGRA~1\YSTEM3~1\fast.exe" []
"Fvfmsyvt"="C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe" []
"Duogpd"="C:\Program Files\Common Files\??sks\n?lookup.exe" []
"omuu"="C:\PROGRA~1\COMMON~1\omuu\omuum.exe" [2006-07-19 14:56]
"ISMModule7"="C:\Program Files\ISM\ISMModule7.exe" [2007-10-15 05:38]
"Bxvhv"="C:\WINDOWS\?dobe\m?config.exe" []
"ISMPack7"="C:\Program Files\ISM2\ISMPack7.exe" [2007-10-16 08:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-02-22 15:42:19]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINDOWS\system32\d3acdb.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec DirectCD"=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"TEST"=D:\AUTO.EXE
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe

*Newly Created Service* - PGFILTER

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

Contents of the 'Scheduled Tasks' folder
2007-09-02 06:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 19:05:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\User\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-10-20 19:08:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-20 19:08
C:\ComboFix2.txt ... 2007-07-22 14:00

--- E O F ---



SDFix Log:


SDFix: Version 1.110

Run by User on Sat 10/20/2007 at 07:17 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
msupdate

ImagePath:
c:\windows\system32\msvcrtd.exe

msupdate - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\retadpu72.exe.tmp - Deleted
C:\A.tmp - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\b128.exe - Deleted
C:\WINDOWS\system32\geyrr.dll - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\msvcrtd.exe - Deleted
C:\WINDOWS\system32\ps.dat - Deleted
C:\WINDOWS\system32\q24m.dll - Deleted
C:\WINDOWS\system32\w1m.dll - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 22 Jul 2007 593,920 ..SH. --- "C:\WINDOWS\WEB\tfppm3.dll"
Sun 4 Jun 2006 4,348 ..SH. --- "C:\WINDOWS\All Users\DRM\DRMv1.bak"
Tue 17 Sep 2002 28,160 ...H. --- "C:\Documents and Settings\User\My Documents\~WRL0850.tmp"
Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 18 Sep 2002 28,160 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0003.tmp"

Finished!



Deckard Log:


Deckard's System Scanner v20071014.68
Run by User on 2007-10-20 19:34:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
55: 2007-10-21 02:34:11 UTC - RP1378 - Deckard's System Scanner Restore Point
54: 2007-09-04 14:26:14 UTC - RP1377 - System Checkpoint
53: 2007-09-03 14:08:55 UTC - RP1376 - System Checkpoint
52: 2007-09-02 13:53:22 UTC - RP1375 - System Checkpoint
51: 2007-09-01 12:29:52 UTC - RP1374 - System Checkpoint


-- First Restore Point --
1: 2007-06-07 21:08:50 UTC - RP1324 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.74 GiB (less than 15%) free.


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:18 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\winntify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\omuu\omuum.exe
C:\Program Files\ISM\ISMModule7.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\omuu\omuua.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\o075tmrp.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {BFED3F50-D194-FE61-BB28-FF8A32F52EB9} - C:\WINDOWS\system32\bvdnsbm.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Irdr] "C:\PROGRA~1\YSTEM3~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Fvfmsyvt] "C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe"
O4 - HKCU\..\Run: [Duogpd] "C:\Program Files\Common Files\??sks\n?lookup.exe"
O4 - HKCU\..\Run: [omuu] C:\PROGRA~1\COMMON~1\omuu\omuum.exe
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [Bxvhv] C:\WINDOWS\?dobe\m?config.exe
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...oft/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}: NameServer = 194.54.90.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFE1CED-9749-4838-91AD-47CCA52C5D74}: NameServer = 194.54.90.238
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}: NameServer = 194.54.90.238
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9055 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,17
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,16


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PxHelper - c:\windows\system32\drivers\pxhelper.sys <Not Verified; VERITAS Software, Inc.; PxHelp20>
R3 Eplpdx02 - c:\windows\system32\drivers\eplpdx02.sys <Not Verified; MK Systems CO., LTD.; MK Systems LPT I/O Driver for Windows2000>
R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

S3 atimtag - c:\windows\system32\drivers\atimtag.sys (file missing)
S3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R2 Winnotify (Windows Notification Service) - c:\windows\system32\winntify.exe -srv <Not Verified; Microsoft Corporation; Microsoft® DRM>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-01 23:00:02 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job


-- Files created between 2007-09-20 and 2007-10-20 -----------------------------

2007-10-20 19:16:22 0 d-------- C:\WINDOWS\ERUNT
2007-10-20 19:04:46 0 d--hs---- C:\FOUND.014
2007-10-20 18:53:35 0 d-------- C:\Program Files\ISM2
2007-10-20 18:53:16 60928 --a------ C:\WINDOWS\system32\bvdnsbm.dll
2007-10-17 11:43:44 35840 -ra------ C:\WINDOWS\tsitra72.exe


-- Find3M Report ---------------------------------------------------------------

2007-08-23 19:03:14 0 d-------- C:\Program Files\Common Files\?ppPatch
2007-07-22 13:54:58 1099570 --a------ C:\WINDOWS\system32\dn224c1e06.dat
2007-07-22 13:10:38 544768 --a------ C:\WINDOWS\ytfse.exe
2007-07-22 13:09:48 0 --a------ C:\WINDOWS\runnen


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
10/15/2007 01:42 PM 192512 --a------ C:\Program Files\ISM\BndDrive7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
07/11/2007 01:02 PM 192512 --a------ C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED3F50-D194-FE61-BB28-FF8A32F52EB9}]
10/18/2007 07:22 AM 60928 --a------ C:\WINDOWS\system32\bvdnsbm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [10/16/2001 11:10 AM]
"AtiPTA"="atiptaxx.exe" [09/15/2001 01:15 AM C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"WT GameChannel"="C:\Program Files\WildTangent\Apps\GameChannel.exe" [12/03/2002 05:24 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [09/18/2001 01:59 AM]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [09/19/2001 09:41 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [02/22/2003 03:42 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/08/2006 06:58 PM]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [07/20/2005 11:07 PM]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [08/01/2005 05:05 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [07/12/2005 06:36 AM]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [10/31/2005 11:05 AM]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [10/31/2005 11:18 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 03:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/12/2006 08:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [02/22/2003 03:42 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [09/18/2005 06:40 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [02/14/2007 06:04 AM]
"Irdr"="C:\PROGRA~1\YSTEM3~1\fast.exe" []
"Fvfmsyvt"="C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe" []
"Duogpd"="C:\Program Files\Common Files\??sks\n?lookup.exe" []
"omuu"="C:\PROGRA~1\COMMON~1\omuu\omuum.exe" [07/19/2006 02:56 PM]
"ISMModule7"="C:\Program Files\ISM\ISMModule7.exe" [10/15/2007 05:38 AM]
"Bxvhv"="C:\WINDOWS\?dobe\m?config.exe" []
"ISMPack7"="C:\Program Files\ISM2\ISMPack7.exe" [10/16/2007 08:10 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2/17/1999 8:05:56 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2/22/2003 3:42:19 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec DirectCD"=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"TEST"=D:\AUTO.EXE
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe




-- End of Deckard's System Scanner: finished at 2007-10-20 19:36:37 ------------




Thanks again for your help. If there is anything else you need, let me know.

Reggie
Attached Files
File Type: txt extra.txt (11.7 KB, 1 views)
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-20-2007, 10:14 PM   #4 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
Hi reggieblack,

This is going to take a few more stages, as we start to clean the remnants of the mess which was on your computer. Please stick with me until I say your machine is clean.

--------------------------------------------------------------

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Internet Speed Monitor
Kazaa Media Desktop 2.0.2 <<< known to bundle malware inside its install files.
Viewpoint Manager
Viewpoint Media Player <<<this is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

Optional Removal

WildTangent GameChannel
WildTangent Web Driver

*** Wild Tanget's privacy policy used to state they also collect and share individuals information, but that is no longer the case ***

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KILLALL::

File::
C:\WINDOWS\system32\bvdnsbm.dll
C:\WINDOWS\tsitra72.exe
C:\WINDOWS\system32\dn224c1e06.dat
C:\WINDOWS\ytfse.exe
C:\WINDOWS\runnen

Folder::
C:\PROGRA~1\COMMON~1\omuu
C:\FOUND.014
C:\Program Files\ISM2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED3F50-D194-FE61-BB28-FF8A32F52EB9}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Irdr"=-
"Fvfmsyvt"=-
"Duogpd"=-
"omuu"=-
"ISMModule7"=-
"Bxvhv"=-
"ISMPack7"=-
Save this as CFScript




Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...oft/wtinst.cab

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

No AntiVirus Onboard

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

--------------------------------------------------------------

Restart the computer after installing a Anti-Virus

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

--------------------------------------------------------------

Please update me on how your system is behaving?

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
New HiJackThis Log
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 10-20-2007 at 10:16 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-21-2007, 08:01 PM   #5 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


Re: HijackThis Thread
forhockey,

Thanks for you help, my system is running much better. I installed AVG visus protection and it found 59 threats! I also did what you said and got the combofix and hijack this logfiles. Here they are:

Combo Fix:

"User" - 2007-10-21 13:54:25 - ComboFix 07-07-17.8 -
Service Pack 2 FAT32
Command switches used :: C:\Documents and
Settings\User\Desktop\SFScript.txt


((((((((((((((((((((((((( Files Created from
2007-09-21 to 2007-10-21
)))))))))))))))))))))))))))))))


2007-10-20 19:33 <DIR> d-------- C:\Deckard
2007-10-20 19:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-20 19:04 <DIR> d--hs---- C:\FOUND.014
2007-10-20 18:53 60,928 --a------
C:\WINDOWS\SYSTEM32\bvdnsbm.dll
2007-10-17 11:43 35,840 -ra------
C:\WINDOWS\tsitra72.exe


(((((((((((((((((((((((((((((((((((((((( Find3M
Report
))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 02:03:14 -------- d-----w C:\Program
Files\Common Files\?ppPatch
2007-08-21 06:15:44 683,520 ----a-w
C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19:42 1,712,984 ----a-w
C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:19:36 549,720 ----a-w
C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19:32 325,976 ----a-w
C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19:28 203,096 ----a-w
C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19:20 92,504 ----a-w
C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19:16 53,080 ----a-w
C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19:12 43,352 ----a-w
C:\WINDOWS\system32\wups2.dll
2007-07-31 02:18:40 33,624 ----a-w
C:\WINDOWS\system32\wups.dll
2007-07-22 20:54:58 1,099,570 ----a-w
C:\WINDOWS\system32\dn224c1e06.dat
2007-07-22 20:12:26 97,312 ----a-w C:\bmgenkji3.exe
2007-07-22 20:12:22 100,920 ----a-w C:\bmgenkji2.exe
2007-07-22 20:11:42 99,848 ----a-w C:\bmgenkji1.exe
2007-07-22 20:10:38 544,768 ----a-w
C:\WINDOWS\ytfse.exe
2001-07-15 04:16:22 266 --sh--w C:\Program
Files\desktop.ini
2001-07-15 04:16:22 11,079 ---h--w C:\Program
Files\folder.htt
2005-07-29 23:24:26 472 --sha-r
C:\WINDOWS\VXNlcg\prh5w0.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading
Points
))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not
shown

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program
files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{BFED3F50-D194-FE61-BB28-FF8A32F52EB9}]
2007-10-18 07:22 60928 --a------
C:\WINDOWS\system32\bvdnsbm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink
Monitor\InkMonitor.exe" [2001-10-16 11:10]
"AtiPTA"="atiptaxx.exe" [2001-09-15 01:15
C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"zBrowser Launcher"="C:\Program
Files\Logitech\iTouch\iTouch.exe" [2001-09-18 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE"
[2001-09-19 09:41]
"LDM"="C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\backWeb-8876480.exe"
[2003-02-22 15:42]
"TkBellExe"="C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" [2006-01-08 18:58]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300
Series\lxcgmon.exe" [2005-07-20 23:07]
"EzPrint"="C:\Program Files\Lexmark 2300
Series\ezprint.exe" [2005-08-01 05:05]
"FaxCenterServer"="C:\Program Files\Lexmark Fax
Solutions\fm3032.exe" [2005-07-12 06:36]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe"
[2005-10-31 11:05]
"DIGServices"="C:\Program
Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18]
"iTunesHelper"="C:\Program
Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program
Files\QuickTime\qttask.exe" [2006-11-12 20:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BackWeb-8876480.exe"
[2003-02-22 15:42]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe"
[]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe"
[2004-10-13 09:24]
"PeerGuardian"="C:\Program
Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"swg"="C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
[2007-02-14 06:04]
"Irdr"="C:\PROGRA~1\YSTEM3~1\fast.exe" []
"Fvfmsyvt"="C:\Documents and Settings\User\My
Documents\?icrosoft\w?auclt.exe" []
"Duogpd"="C:\Program Files\Common
Files\??sks\n?lookup.exe" []
"omuu"="C:\PROGRA~1\COMMON~1\omuu\omuum.exe"
[2006-07-19 14:56]
"Bxvhv"="C:\WINDOWS\?dobe\m?config.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft
Office\Office\Osa9.exe [1999-02-17 20:05:56]
Logitech Desktop Messenger.lnk - C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe [2003-02-22
15:42:19]
Adobe Reader Speed Launch.lnk - C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec
DirectCD"=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE
-r
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"TEST"=D:\AUTO.EXE
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe


HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed
components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0
powercfg.inf

Contents of the 'Scheduled Tasks' folder
2007-09-02 06:00:02 C:\WINDOWS\tasks\Tune-up
Application Start.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth
malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 13:55:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\USER\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-10-21 13:56:44
C:\ComboFix-quarantined-files.txt ... 2007-10-21 13:56
C:\ComboFix3.txt ... 2007-07-22 14:00
C:\ComboFix2.txt ... 2007-10-20 19:08

--- E O F ---


Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:00 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://rd.yahoo.com/customize/ymsgr/...ch/search.html
N2 - Netscape 6:
user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\USER\Application
Data\Mozilla\Profiles\default\o075tmrp.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BndDrive BHO Class -
{9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program
Files\ISM\BndDrive.dll (file missing)
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar4.dll
O2 - BHO: (no name) -
{BFED3F50-D194-FE61-BB28-FF8A32F52EB9} -
C:\WINDOWS\system32\bvdnsbm.dll
O3 - Toolbar: &ESPN -
{AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program
Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program
Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC]
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program
Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark
2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program
Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DIGStream] C:\Program
Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program
Files\ESPNRunTime\DIGServices.exe /brand=ESPN
/priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LDM] C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program
Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Irdr]
"C:\PROGRA~1\YSTEM3~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Fvfmsyvt] "C:\Documents and
Settings\User\My Documents\?icrosoft\w?auclt.exe"
O4 - HKCU\..\Run: [Duogpd] "C:\Program Files\Common
Files\??sks\n?lookup.exe"
O4 - HKCU\..\Run: [Bxvhv]
C:\WINDOWS\?dobe\m?config.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User
'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User
'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
(User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk =
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793}
(SurferNETWORK Plugin) -
http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4}
(PhxStudent.OeSetup15) -
https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) -
http://fdl.msn.com/public/chat/msnchat45.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}:
NameServer = 194.54.90.238
O17 -
HKLM\System\CCS\Services\Tcpip\..\{7DFE1CED-9749-4838-91AD-47CCA52C5D74}:
NameServer = 194.54.90.238
O17 -
HKLM\System\CS1\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}:
NameServer = 194.54.90.238
O22 - SharedTaskScheduler: za -
{53B5F2B1-94DD-43E5-8187-EB4E31F00701} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google
- C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT)
- Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - -
C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel,
Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Windows Notification Service
(Winnotify) - Unknown owner -
C:\WINDOWS\System32\winntify.exe (file missing)

--
End of file - 7815 bytes


It still seems like the biggest problem I am having is using internet explorer. I can't do any searches on google and there are several websites I can't go to (I am accessing tech support forum on my laptop).

If you need anything else, let me know.

Reggie
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-22-2007, 08:09 PM   #6 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
Could you please repost the above logs. Make sure "Word Wrap" is off.

Format -> Word Wrap (make sure no check mark)

It will make reading your logs a lot easier.

Thanks
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-24-2007, 05:34 PM   #7 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


Re: HijackThis Thread
Here are the files with wrap text off:

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:00 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\o075tmrp.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {BFED3F50-D194-FE61-BB28-FF8A32F52EB9} - C:\WINDOWS\system32\bvdnsbm.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Irdr] "C:\PROGRA~1\YSTEM3~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Fvfmsyvt] "C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe"
O4 - HKCU\..\Run: [Duogpd] "C:\Program Files\Common Files\??sks\n?lookup.exe"
O4 - HKCU\..\Run: [Bxvhv] C:\WINDOWS\?dobe\m?config.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}: NameServer = 194.54.90.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFE1CED-9749-4838-91AD-47CCA52C5D74}: NameServer = 194.54.90.238
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}: NameServer = 194.54.90.238
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Windows Notification Service (Winnotify) - Unknown owner - C:\WINDOWS\System32\winntify.exe (file missing)

--
End of file - 7815 bytes


Combo Fix:

"User" - 2007-10-21 13:54:25 - ComboFix 07-07-17.8 - Service Pack 2 FAT32
Command switches used :: C:\Documents and Settings\User\Desktop\SFScript.txt


((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))


2007-10-20 19:33 <DIR> d-------- C:\Deckard
2007-10-20 19:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-20 19:04 <DIR> d--hs---- C:\FOUND.014
2007-10-20 18:53 60,928 --a------ C:\WINDOWS\SYSTEM32\bvdnsbm.dll
2007-10-17 11:43 35,840 -ra------ C:\WINDOWS\tsitra72.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 02:03:14 -------- d-----w C:\Program Files\Common Files\?ppPatch
2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-22 20:54:58 1,099,570 ----a-w C:\WINDOWS\system32\dn224c1e06.dat
2007-07-22 20:12:26 97,312 ----a-w C:\bmgenkji3.exe
2007-07-22 20:12:22 100,920 ----a-w C:\bmgenkji2.exe
2007-07-22 20:11:42 99,848 ----a-w C:\bmgenkji1.exe
2007-07-22 20:10:38 544,768 ----a-w C:\WINDOWS\ytfse.exe
2001-07-15 04:16:22 266 --sh--w C:\Program Files\desktop.ini
2001-07-15 04:16:22 11,079 ---h--w C:\Program Files\folder.htt
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\VXNlcg\prh5w0.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED3F50-D194-FE61-BB28-FF8A32F52EB9}]
2007-10-18 07:22 60928 --a------ C:\WINDOWS\system32\bvdnsbm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 11:10]
"AtiPTA"="atiptaxx.exe" [2001-09-15 01:15 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-09-18 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [2003-02-22 15:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-08 18:58]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 23:07]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 05:05]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 06:36]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-12 20:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2003-02-22 15:42]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 06:04]
"Irdr"="C:\PROGRA~1\YSTEM3~1\fast.exe" []
"Fvfmsyvt"="C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe" []
"Duogpd"="C:\Program Files\Common Files\??sks\n?lookup.exe" []
"omuu"="C:\PROGRA~1\COMMON~1\omuu\omuum.exe" [2006-07-19 14:56]
"Bxvhv"="C:\WINDOWS\?dobe\m?config.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-02-22 15:42:19]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec DirectCD"=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"TEST"=D:\AUTO.EXE
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

Contents of the 'Scheduled Tasks' folder
2007-09-02 06:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 13:55:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\USER\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-10-21 13:56:44
C:\ComboFix-quarantined-files.txt ... 2007-10-21 13:56
C:\ComboFix3.txt ... 2007-07-22 14:00
C:\ComboFix2.txt ... 2007-10-20 19:08

--- E O F ---


Thanks again,

Reggie
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-25-2007, 08:13 PM   #8 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
Hi Reggie

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Please submit this file to: http://www.bleepingcomputer.com/subm....php?channel=4

C:\WINDOWS\VXNlcg\prh5w0.vbs

Please include a link to this topic in the message.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KILLALL::

File::
C:\WINDOWS\SYSTEM32\bvdnsbm.dll
C:\WINDOWS\tsitra72.exe
C:\WINDOWS\system32\dn224c1e06.dat
C:\bmgenkji3.exe
C:\bmgenkji2.exe
C:\bmgenkji1.exe
C:\WINDOWS\ytfse.exe
C:\Program Files\desktop.ini
C:\Program Files\folder.htt

Folder::
C:\FOUND.014
C:\WINDOWS\VXNlcg
C:\PROGRA~1\COMMON~1\omuu

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Irdr"=-
"Fvfmsyvt"=-
"Duogpd"=-
"omuu"=-
"Bxvhv"=-
Save this as CFScript




Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

--------------------------------------------------------------

Delete the following Folder indicated in BLUE

C:\Program Files\Common Files\?ppPatch [color=orange]<-- The question mark can be any character before "ppPatch"

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
Panda Online Scan Results
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-28-2007, 04:54 PM   #9 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


Re: HijackThis Thread
forhockey,

I tried performing the first step, but my webbrowser will not let me access www.bleepingcomputer.com. In fact, I have been communicating with you through my laptop as there are several websites that I still can't access.

However, the file you mentioned has been quarantined by AVG virus scan. I don't know if that makes a difference or not.

Anyways, I followed all of the other steps. Here is the combo fix log file:



"User" - 2007-10-28 14:30:09 - ComboFix 07-07-17.8 - Service Pack 2 FAT32
Command switches used :: C:\ComboFix\cfsscript


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))


2007-10-28 14:20 6,021,344 --a------ C:\Firefox Setup 2.0.0.8.exe
2007-10-21 14:13 29,530,464 --a------ C:\avg75free_488a1157.exe
2007-10-20 19:33 <DIR> d-------- C:\Deckard
2007-10-20 19:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-20 19:04 <DIR> d--hs---- C:\FOUND.014
2007-10-20 18:53 60,928 --a------ C:\WINDOWS\SYSTEM32\bvdnsbm.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2001-07-15 04:16:22 266 --sh--w C:\Program Files\desktop.ini
2001-07-15 04:16:22 11,079 ---h--w C:\Program Files\folder.htt
2007-07-22 20:10:50 593,920 --sh--w C:\WINDOWS\WEB\tfppm3.dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\VXNlcg\prh5w0.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED3F50-D194-FE61-BB28-FF8A32F52EB9}]
2007-10-18 07:22 60928 --a------ C:\WINDOWS\system32\bvdnsbm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 11:10]
"AtiPTA"="atiptaxx.exe" [2001-09-15 01:15 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-09-18 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [2003-02-22 15:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-08 18:58]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 23:07]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 05:05]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 06:36]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-12 20:48]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 09:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2003-02-22 15:42]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 06:04]
"Irdr"="C:\PROGRA~1\YSTEM3~1\fast.exe" []
"Fvfmsyvt"="C:\Documents and Settings\User\My Documents\?icrosoft\w?auclt.exe" []
"Duogpd"="C:\Program Files\Common Files\??sks\n?lookup.exe" []
"Bxvhv"="C:\WINDOWS\?dobe\m?config.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-02-22 15:42:19]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec DirectCD"=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"TEST"=D:\AUTO.EXE
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe

*Newly Created Service* - PGFILTER

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

Contents of the 'Scheduled Tasks' folder
2007-09-02 06:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 14:31:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\USER\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-10-28 14:32:46
C:\ComboFix-quarantined-files.txt ... 2007-10-28 14:32

--- E O F ---


Here is the Panda Scan File:



Incident Status Location

Adware:adware/cws.oslogo Not disinfected C:\Documents and Settings\User\Favorites\Free Porn Links Seven Days a week.url
Dialer:dialer.bny Not disinfected c:\windows\PCCONFIG.DAT
Adware:adware/cydoor Not disinfected c:\windows\system\AdCache
Adware:adware/searchexplorer Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_classes_root\clsid\{3EEC42B5-FB94-40D3-A588-BB54B383A7CB}
Adware:adware/xrenoder Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:adware/ieplugin Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\BDEDATA2.DLL
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\BDEFDI.DLL
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\BDELOAD.DLL
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\bdedownloader.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\bdeverify.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\bdeverify.dll
Virus:Generic Malware Disinfected C:\WINDOWS\SYSTEM32\bdesecureinstall.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\bdeinstall.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\BDESac10.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\bde3d_ref2.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\BDERastDx6_30002.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM32\bdeinsta25.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\WEB\TFPPM3.DLL
Virus:Trj/Seeker.X Disinfected C:\WINDOWS\SP.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NIRCMD.EXE
Adware:Adware/CommAd Not disinfected C:\WINDOWS\VXNlcg\PRH5W0.VBS
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\BDE\Cache\bdedetect1.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\BDE\bdeplayer2.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\BDE\BDEEngine2.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\BDE\BDEIMAGE.DLL
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\BDE\npbdplay2.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\BDE\bdeviewer.exe
Virus:Generic Trojan Disinfected C:\WINDOWS\WT\wtupdates\wtwebdriver\FILES\2.2.0.100\wthostctl.dll
Virus:Generic Malware Disinfected C:\WINDOWS\WT\wtupdates\wtwebdriver\FILES\3.1.0.037\NPWTHOST.DLL
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\OMUU\OMUUD\OMUUC.DLL
Adware:Adware/Zango Not disinfected C:\Program Files\Netscape\Netscape 6\Plugins\NPCLNTAX.DLL
Virus:Trj/Downloader.MDW Not disinfected C:\C.TMP[BndDrive.dll]
Spyware:Cookie/Go Not disinfected C:\FOUND.013\FILE0000.CHK
Spyware:Cookie/Go Not disinfected C:\FOUND.014\FILE0000.CHK
Spyware:Cookie/Go Not disinfected C:\FOUND.004\FILE0000.CHK
Spyware:Cookie/Go Not disinfected C:\FOUND.006\FILE0000.CHK
Spyware:Cookie/Go Not disinfected C:\FOUND.007\FILE0000.CHK
Spyware:Cookie/Go Not disinfected C:\FOUND.008\FILE0000.CHK
Spyware:Cookie/Go Not disinfected C:\FOUND.010\FILE0000.CHK
Spyware:Cookie/Go Not disinfected C:\FOUND.011\FILE0000.CHK
Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\atmtd.dll.vir
Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\atmtd.dll._.vir
Adware:Adware/Sqwire Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tsuninst.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\opmkjh.dll.vir
Adware:Adware/SearchAid Not disinfected C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
Adware:Adware/CommAd Not disinfected C:\QooBox\Quarantine\C\WINDOWS\VXNlcg\command.exe.vir
Adware:Adware/CommAd Not disinfected C:\QooBox\Quarantine\C\WINDOWS\VXNlcg\asappsrv.dll.vir
Adware:Adware/DeluxeComunications Not disinfected C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\SKS~1\n?lookup.exe.vir
Adware:Adware/SearchAid Not disinfected C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
Adware:Adware/Winpopup Not disinfected C:\QooBox\Quarantine\C\Program Files\WinPop\winpop.exe.vir
Spyware:Cookie/Go Not disinfected C:\FOUND.012\FILE0000.CHK
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\User\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Virus:Generic Malware Disinfected C:\Documents and Settings\User\Desktop\My Shared Folder\KazaaUpdate151.exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[17].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[18].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[24].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\User\Cookies\user@azjmp[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Cookies\user@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[8].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[23].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\User\Cookies\user@entrepreneur[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\User\Cookies\user@fortunecity[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\User\Cookies\user@sexlist[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\User\Cookies\user@errorsafe[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\User\Cookies\user@cs.sexcounter[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@bs.serving-sys[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[22].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\User\Cookies\user@adserver.easyad[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Cookies\user@counter6.sextracker[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\User\Cookies\user@statcounter[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\User\Cookies\user@as-eu.falkag[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@klik.klikadvertising[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\User\Cookies\user@desktop.kazaa[3].txt
Spyware:Cookie/7search Not disinfected C:\Documents and Settings\User\Cookies\user@7search[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\User\Cookies\user@enhance[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@go.winantispyware[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@winantispyware[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\User\Cookies\user@adtech[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[14].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[7].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\User\Cookies\user@paycounter[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\User\Cookies\user@bluestreak[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Cookies\user@counter13.sextracker[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\User\Cookies\user@statse.webtrendslive[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\User\Cookies\user@bfast[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\User\Cookies\user@2o7[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[20].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\User\Cookies\user@www.burstbeacon[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\User\Cookies\user@targetsaver[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\User\Cookies\user@findwhat[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\User\Cookies\user@adrevolver[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\User\Cookies\user@zedo[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\User\Cookies\user@adultfriendfinder[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\User\Cookies\user@ccbill[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Cookies\user@counter12.sextracker[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\User\Cookies\user@ehg-dig.hitbox[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\User\Cookies\user@adrevolver[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\user@advertising[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Cookies\user@counter15.sextracker[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\User\Cookies\user@247realmedia[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Cookies\user@sextracker[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\User\Cookies\user@burstnet[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\User\Cookies\user@fastclick[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\User\Cookies\user@atwola[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\User\Cookies\user@casalemedia[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\User\Cookies\user@trafficmp[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\User\Cookies\user@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\User\Cookies\user@ads.pointroll[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Cookies\user@counter7.sextracker[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[19].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[4].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[13].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[5].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[6].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[11].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[9].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[12].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[16].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[10].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[15].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Profiles\DEFAULT\O075TMRP.SLT\COOKIES.TXT[.doubleclick.net/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\APPS\Process.exe



I deleted the ppPatch file and made sure that all hidden files were being shown.

Reggie
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-29-2007, 03:27 PM   #10 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
Hi Reggie

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com...Fixwareout.exe
  • Save it to your desktop and run it.
  • Click "Next", then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin: Please follow the prompts.
  • You will be asked to reboot your computer: Please do so.
  • Your system may take longer than usual to load and this is normal.
Once the desktop loads post the text that will open (report.txt)

---------------------------------------------------------------

Can you make sure when you are saving the text file as CFScript.

The past two times I've had you run the script you have been saving the text file wrong (see below)

Quote:
"User" - 2007-10-21 13:54:25 - ComboFix 07-07-17.8 - Service Pack 2 FAT32
Command switches used :: C:\Documents and Settings\User\Desktop\SFScript.txt
Quote:
"User" - 2007-10-28 14:30:09 - ComboFix 07-07-17.8 - Service Pack 2 FAT32
Command switches used :: C:\ComboFix\cfsscript
--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KILLALL::

File::
C:\WINDOWS\SYSTEM32\bvdnsbm.dll
C:\WINDOWS\tsitra72.exe
C:\WINDOWS\system32\dn224c1e06.dat
C:\bmgenkji3.exe
C:\bmgenkji2.exe
C:\bmgenkji1.exe
C:\WINDOWS\ytfse.exe
C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\Documents and Settings\User\Favorites\Free Porn Links Seven Days a week.url
c:\windows\PCCONFIG.DAT
C:\WINDOWS\SYSTEM32\BDEDATA2.DLL
C:\WINDOWS\SYSTEM32\BDEFDI.DLL
C:\WINDOWS\SYSTEM32\BDELOAD.DLL
C:\WINDOWS\SYSTEM32\bdedownloader.dll
C:\WINDOWS\SYSTEM32\bdeverify.exe
C:\WINDOWS\SYSTEM32\bdeverify.dll
C:\WINDOWS\SYSTEM32\bdeinstall.exe
C:\WINDOWS\SYSTEM32\BDESac10.dll
C:\WINDOWS\SYSTEM32\bde3d_ref2.dll
C:\WINDOWS\SYSTEM32\BDERastDx6_30002.dll
C:\WINDOWS\SYSTEM32\bdeinsta25.dll
C:\WINDOWS\WEB\TFPPM3.DLL
C:\Program Files\Netscape\Netscape 6\Plugins\NPCLNTAX.DLL
C:\C.TMP

Folder::
C:\FOUND.013
C:\FOUND.014
C:\FOUND.004
C:\FOUND.006
C:\FOUND.007
C:\FOUND.008
C:\FOUND.010
C:\FOUND.011
C:\FOUND.012
C:\WINDOWS\VXNlcg
C:\PROGRA~1\COMMON~1\omuu
c:\windows\system\AdCache
C:\WINDOWS\BDE

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Irdr"=-
"Fvfmsyvt"=-
"Duogpd"=-
"omuu"=-
"Bxvhv"=-
[-hkey_classes_root\clsid\{3EEC42B5-FB94-40D3-A588-BB54B383A7CB}]
Save this as CFScript




Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

--------------------------------------------------------------

Please reply back with the following:

C:\fixwareout\report.txt
C:\ComboFix.txt
Fresh HiJackThis Log
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 10-29-2007 at 03:31 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-29-2007, 07:15 PM   #11 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


Re: HijackThis Thread
forhockey,

Here are the new logfiles.

fixwareout log:

Username "User" - 10/29/2007 18:24:57 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3E0FFA7D-7D9B-4C2B-8C43-110E4E644DEC}
"nameserver"="194.54.90.238" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7DFE1CED-9749-4838-91AD-47CCA52C5D74}
"nameserver"="194.54.90.238" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Ink Monitor"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"AtiPTA"="atiptaxx.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"lxcgmon.exe"="\"C:\\Program Files\\Lexmark 2300 Series\\lxcgmon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 2300 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"DIGServices"="C:\\Program Files\\ESPNRunTime\\DIGServices.exe /brand=ESPN /priority=0 /poll=24"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Irdr"="\"C:\\PROGRA~1\\YSTEM3~1\\fast.exe\" -vt yazb"
"Fvfmsyvt"="\"C:\\Documents and Settings\\User\\My Documents\\?icrosoft\\w?auclt.exe\""
"Duogpd"="\"C:\\Program Files\\Common Files\\??sks\\n?lookup.exe\""
"Bxvhv"="C:\\WINDOWS\\?dobe\\m?config.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Combofix logfile:


"User" - 2007-10-29 18:40:02 - ComboFix 07-07-17.8 - Service Pack 2 FAT32
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\C.TMP
C:\Documents and Settings\User\Favorites\Free Porn Links Seven Days a week.url
C:\FOUND.004
C:\FOUND.004\FILE0000.CHK
C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.007
C:\FOUND.007\FILE0000.CHK
C:\FOUND.008
C:\FOUND.008\FILE0000.CHK
C:\FOUND.010
C:\FOUND.010\FILE0000.CHK
C:\FOUND.011
C:\FOUND.011\FILE0000.CHK
C:\FOUND.012
C:\FOUND.012\FILE0000.CHK
C:\FOUND.013
C:\FOUND.013\FILE0000.CHK
C:\FOUND.014
C:\FOUND.014\FILE0000.CHK
C:\PROGRA~1\COMMON~1\omuu
C:\PROGRA~1\COMMON~1\omuu\omuua.lck
C:\PROGRA~1\COMMON~1\omuu\omuud\class-barrel
C:\PROGRA~1\COMMON~1\omuu\omuud\omuuc.dll
C:\PROGRA~1\COMMON~1\omuu\omuud\vocabulary
C:\PROGRA~1\COMMON~1\omuu\omuuh
C:\PROGRA~1\COMMON~1\omuu\omuul.lck
C:\PROGRA~1\COMMON~1\omuu\omuum.lck
C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\Program Files\Netscape\Netscape 6\Plugins\NPCLNTAX.DLL
C:\WINDOWS\BDE
C:\WINDOWS\BDE\b3dlogo\b3d.b3d
C:\WINDOWS\BDE\bdeclean.exe
C:\WINDOWS\BDE\BDEEngine2.dll
C:\WINDOWS\BDE\bdeimage.dll
C:\WINDOWS\BDE\bdeplayer2.dll
C:\WINDOWS\BDE\bdeviewer.exe
C:\WINDOWS\BDE\Cache\b3d.b3d
C:\WINDOWS\BDE\Cache\b3dstats.cab
C:\WINDOWS\BDE\Cache\bdeclean.exe
C:\WINDOWS\BDE\Cache\bdedetect1.dll
C:\WINDOWS\BDE\Cache\infowin1.bmp
C:\WINDOWS\BDE\Cache\infowin1.txt
C:\WINDOWS\BDE\Cache\infowin1a.txt
C:\WINDOWS\BDE\Cache\infowin2.txt
C:\WINDOWS\BDE\Cache\infowin3.txt
C:\WINDOWS\BDE\Cache\installb3d3101.cab
C:\WINDOWS\BDE\Cache\installb3d3105.cab
C:\WINDOWS\BDE\Cache\installb3dcodecs.cab
C:\WINDOWS\BDE\Cache\installb3dplayer3101.cab
C:\WINDOWS\BDE\Cache\installb3drasts.cab
C:\WINDOWS\BDE\Cache\installb3dviewer2.cab
C:\WINDOWS\BDE\Cache\installNSplugins.cab
C:\WINDOWS\BDE\Cache\playb3d1s.cab
C:\WINDOWS\BDE\Cache\playb3d3200.cab
C:\WINDOWS\BDE\Cache\syscheckb3dplayer.cab
C:\WINDOWS\BDE\movies\casino2\CASINO_1ST.dat
C:\WINDOWS\BDE\movies\casino2\casino2.b3d
C:\WINDOWS\BDE\movies\casino2\NOCLICK.dat
C:\WINDOWS\BDE\movies\casino2\SCENE_3.dat
C:\WINDOWS\BDE\movies\casino2\SCENE2.dat
C:\WINDOWS\BDE\movies\casino2\SPIN1.dat
C:\WINDOWS\BDE\movies\casino2\SPIN2.dat
C:\WINDOWS\BDE\movies\casinosky\casinosky.b3d
C:\WINDOWS\BDE\movies\fortunesky\fortunesky.b3d
C:\WINDOWS\BDE\movies\fortunesky2\fortunesky2.b3d
C:\WINDOWS\BDE\movies\goldenstarsky\goldenstarsky.b3d
C:\WINDOWS\BDE\mskin\config3.ini
C:\WINDOWS\BDE\mskin\mskin.bmp
C:\WINDOWS\BDE\npbdplay2.dll
C:\WINDOWS\BDE\Update\setup.cab
C:\WINDOWS\BDE\Update\zget.cab
C:\WINDOWS\BDE\Update\zslot1.cab
C:\WINDOWS\BDE\Update\zuninstall.cab
C:\WINDOWS\BDE\Update\zupdate.exe
c:\windows\PCCONFIG.DAT
c:\windows\system\AdCache
c:\windows\system\AdCache\B_253_0_4_539900.GIF
c:\windows\system\AdCache\B_438300.HTM
c:\windows\system\AdCache\B_498900.HTM
c:\windows\system\AdCache\B_528500.HTM
C:\WINDOWS\SYSTEM32\bde3d_ref2.dll
C:\WINDOWS\SYSTEM32\BDEDATA2.DLL
C:\WINDOWS\SYSTEM32\bdedownloader.dll
C:\WINDOWS\SYSTEM32\BDEFDI.DLL
C:\WINDOWS\SYSTEM32\bdeinsta25.dll
C:\WINDOWS\SYSTEM32\bdeinstall.exe
C:\WINDOWS\SYSTEM32\BDELOAD.DLL
C:\WINDOWS\SYSTEM32\BDERastDx6_30002.dll
C:\WINDOWS\SYSTEM32\BDESac10.dll
C:\WINDOWS\SYSTEM32\bdeverify.dll
C:\WINDOWS\SYSTEM32\bdeverify.exe
C:\WINDOWS\SYSTEM32\bvdnsbm.dll
C:\WINDOWS\system32\dn224c1e06.dat
C:\WINDOWS\VXNlcg
C:\WINDOWS\VXNlcg\prh5w0.vbs
C:\WINDOWS\WEB\TFPPM3.DLL


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))


2007-10-29 18:22 486,449 --a------ C:\Fixwareout.exe
2007-10-28 14:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-10-28 14:20 6,021,344 --a------ C:\Firefox Setup 2.0.0.8.exe
2007-10-21 14:13 29,530,464 --a------ C:\avg75free_488a1157.exe
2007-10-20 19:33 <DIR> d-------- C:\Deckard
2007-10-20 19:16 <DIR> d-------- C:\WINDOWS\ERUNT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED3F50-D194-FE61-BB28-FF8A32F52EB9}]
C:\WINDOWS\system32\bvdnsbm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 11:10]
"AtiPTA"="atiptaxx.exe" [2001-09-15 01:15 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-09-18 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [2003-02-22 15:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-08 18:58]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 23:07]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 05:05]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 06:36]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-12 20:48]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 09:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2003-02-22 15:42]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 06:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-02-22 15:42:19]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec DirectCD"=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"TEST"=D:\AUTO.EXE
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe

*Newly Created Service* - PGFILTER

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

Contents of the 'Scheduled Tasks' folder
2007-09-02 06:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 18:42:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\USER\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-10-29 18:43:26
C:\ComboFix2.txt ... 2007-10-28 14:32
C:\ComboFix-quarantined-files.txt ... 2007-10-29 18:43

--- E O F ---


Hijackthis Logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 737 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\o075tmrp.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {BFED3F50-D194-FE61-BB28-FF8A32F52EB9} - C:\WINDOWS\system32\bvdnsbm.dll (file missing)
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Windows Notification Service (Winnotify) - Unknown owner - C:\WINDOWS\System32\winntify.exe (file missing)

--
End of file - 7375 bytes



Also, like I wrote before, I can't access several websites through internet explorer (for instance, techsupportforum and bleeping computer) on my infected computer. Do you know if I would have better success with a different browser, such as mozilla?

Reggie
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-29-2007, 09:05 PM   #12 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
Hi Reggie,

Lets try doing the following....

1. Restart you computer.
2. Go to start -> run, then type cmd in the textbox and click OK.
3. Type ipconfig /flushdns, then hit the [enter] button on your keyboard. Note: There is a space between the "g" and "/"

------------------------------------------------------------------------------

Then try visiting the following links. Let me know if you are able to visit them.

TSF

BC

If you still are unable to view the webpages, then try Mozilla Firefox.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 10-29-2007 at 09:21 PM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-31-2007, 06:02 PM   #13 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


Re: HijackThis Thread
Forhockey,

I can finally visit techsupportforum from my PC!! Thank you for your help. Is there anything else I need to do or I need to know, or is my computer finally clean?

Reggie
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-01-2007, 06:07 PM   #14 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
Hi Reggie,

Great news!!! There are a few things we need to address still and then you'll be set to go

----------------------------------------------------

Delete the following File indicated in RED and Folders indicated in BLUE

C:\ Fixwareout.exe
C:\ fixwareout
C:\ ComboFix
C:\ Deckard
C:\ SDFix
C:\ QooBox

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: (no name) - {BFED3F50-D194-FE61-BB28-FF8A32F52EB9} - C:\WINDOWS\system32\bvdnsbm.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

Well done, your logs are clean! There are just a few more things I would like you to do.


Reset Hidden/System Files and Folders
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Advanced settings box option select the following:
    - Hide extensions for known file types
    - Hide protected operating system files
    - Do not show hidden files and folders .
  • Click OK.

Reset System Restore

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Clear Firefox Cookies
  • Click Tools -> Options
  • Click Privacy Tab
  • Click the "Show Cookies" button
  • Click the "Remove All Cookies" button, which is at the bottom of the window.
  • Click Close

Clear IE6 cookies
  1. On the Internet Explorer 6 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
  2. On the General tab, in the Temporary Internet Files section, click the Delete Files button. This will delete all the files that are currently stored in your cache [that includes cookies too].
  3. Click OK, and then click OK again.

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.
  • SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
  • IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
  • MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
  • McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
  • SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls


Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
Please respond to this thread one more time so we can mark this thread as resolved.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-07-2007, 04:18 AM   #15 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: XP


Re: HijackThis Thread
forhockey,

Thanks again for the help. I installed the spyware software you recommended and it is all up and running. I hope I never have to go through something like this ever again.

Reggie
reggieblack is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-07-2007, 07:48 PM   #16 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,640
OS: Windows XP Pro, Vista, Windows 7


Re: HijackThis Thread
You're welcome. Safe surfin
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:10 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84