Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Unwanted popups and malware in the system
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 11-09-2008, 07:05 AM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Unwanted popups and malware in the system
Hello TSF Team,

I get many unwanted popups and the system has some viruses in it. Suddenly i get some audio turned on automatically. Here is the log.txt as follows:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Cav.Bal at 2008-11-09 14:01:08
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (13%) free of 38 GB
Total RAM: 502 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:01, on 2008-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
c:\window\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ManageSoft\Launcher\mgsdl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\openFT\bin\SECSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\openFT\bin\NEACTRLS.EXE
C:\WINNT\TEMP\NT4C4C.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\inf\svchoct.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Sie\Card API\bin\siecacst.exe
C:\Program Files\OfficeScan NT\Pop3Trap.exe
C:\Program Files\Sie\CAT Bulletin Board\CBB.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\mabidwe.exe
C:\WINNT\system32\soxpeca.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\cavitha.balamurugesa\Desktop\gmer.exe
C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe
C:\Program Files\ManageSoft\Launcher\ndlaunch.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Documents and Settings\cav.bal\Desktop\RSIT.exe
C:\users\Mah\software\Cav.Bal.exe
C:\WINNT\system32\udxfytw.sys

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pacs.erl.sbs.de/sbs.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=localhost:1;socks=proxy1.sbs.sie.co.uk:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.sie.net;*.sie.de;<local>
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\SIE\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Sie\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [JavaProfileFix3] "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe"
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yt8a] C:\WINNT\system32\yt8a.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe
O4 - HKLM\..\Policies\Explorer\Run: [mainyust] C:\WINNT\system32\inf\svchoct.exe C:\WINNT\wftadfi16_081027a.dll tan16d
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/members/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\Software\..\Telephony: DomainName = GB001.sie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GB001.sie.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINNT\system32\afisicx.exe
O23 - Service: CatSystem (CatSystemSvc) - Sie - C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - -C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipx/ip Service (ipxlauncher) - Unknown owner - c:\window\svchost.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINNT\system32\mabidwe.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINNT\system32\noytcyr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: openFT Server (openFT FTNEA) - Sie Computers - C:\Program Files\openFT\bin\NEACTRLS.EXE
O23 - Service: openFT Security Server - Sie Computers - C:\Program Files\openFT\bin\SECSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINNT\system32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINNT\system32\soxpeca.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINNT\system32\spoolsv.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINNT\system32\tdydowkc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINNT\system32\wsldoekd.exe

--
End of file - 11066 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-09-29 1082880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
SpywareGuardDLBLOCK.CBrowserHelper - C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"=C:\WINNT\System32\hkcmd.exe [2003-01-24 114688]
"RightFAX Print-to-Fax Driver"=C:\Program Files\RightFax\\FaxCtrl.exe [2003-07-17 114688]
"Synchronization Manager"=C:\WINNT\system32\mobsync.exe [2004-08-04 143360]
"NeroCheck"=C:\Program Files\Ahead\\Nero\NeroCheck.exe [2001-07-09 155648]
"DirXconnect settings"=C:\\PROGRA~1\SIE\DIRXDI~1\dxdSetup.exe [2000-03-21 106561]
"OfficeScanNT Monitor"=C:\Program Files\OfficeScan NT\pccntmon.exe [2007-01-08 356429]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2004-09-07 77824]
"Java Profiles Fix"=C:\Program Files\Java\Profile Fix\Java_Profile.exe [2003-04-30 32768]
"JavaProfileFix2"=C:\Program Files\Java\Profile Fix\Java_Profile_2.exe [2004-03-04 36864]
"SIECACST"=C:\Program Files\Sie\Card API\bin\siecacst.exe [2005-02-01 45056]
"Discovery User Input"=c:\Discovery\User Input\userin32.exe [2005-11-10 212992]
"JavaProfileFix3"=C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe [2005-12-06 53248]
"Migrator"=C:\Program Files\CryptoEx\Migrator\Migrator.exe [2004-10-26 290816]
"CryptoExTrayV3"=C:\Program Files\CryptoEx\Common\CexTray.exe [2005-03-01 909312]
"SchedulingAgent_nDG"=C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe [2006-07-27 1183744]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2005-03-17 57393]
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2005-03-17 40960]
"BrMfcWnd"=C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-03-28 622592]
"SetDefPrt"=C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe [2005-01-26 49152]
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe [2006-04-10 61440]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0\bin\jusched.exe [2008-01-09 77824]
"KernelFaultCheck"=C:\WINNT\system32\dumprep 0 -k []
"yt8a"=C:\WINNT\system32\yt8a.exe [2008-10-25 68832]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"mainyust"=C:\WINNT\system32\inf\svchoct.exe [2004-08-04 33280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-03-27 4670968]
"CatUserRun"=exec32 /wh /c chgreg5 /c []
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2004-08-04 15360]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-09-29 21755688]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\WINNT\system32\Macromed\Flash\GetFlash.exe [2003-09-04 94208]

C:\Documents and Settings\cav.bal\Start Menu\Programs\Startup
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CexTrayWinLogon]
C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll [2005-01-26 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINNT\system32\igfxsrvc.dll [2003-01-24 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=C:\Program Files\SpywareGuard\spywareguard.dll [2003-08-02 126976]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConnectHomeDirToRoot"=0
"HideLogonScripts"=0
"EnableProfileQuota"=1
"ProfileQuotaMessage"=You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"=10240
"WarnUserTimeout"=15
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"disablecad"=0
"dontdisplaylastusername"=1
"legalnoticecaption"=This is the Sie Network.
"legalnoticetext"=This computer is connected to the Sie Network. Please confirm you are an authorised user of this system by clicking on the OK button below to proceed. Otherwise press Ctrl + Alt + Delete.
"RunStartupScriptSync"=1
"MaxGPOScriptWait"=1800

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"Btn_Back"=0
"Btn_Forward"=0
"Btn_Stop"=0
"Btn_Refresh"=0
"Btn_Home"=0
"Btn_Search"=0
"Btn_History"=0
"Btn_Favorites"=0
"Btn_Media"=0
"Btn_Folders"=0
"Btn_Fullscreen"=0
"Btn_Tools"=0
"Btn_MailNews"=0
"Btn_Size"=0
"Btn_Print"=0
"Btn_Edit"=0
"Btn_Discussions"=0
"Btn_Cut"=0
"Btn_Copy"=0
"Btn_Paste"=0
"Btn_Encoding"=0
"Btn_PrintPreview"=0
"NoFavoritesMenu"=0
"NoLogoff"=0
"NoDrives"=0
"NoDeletePrinter"=0
"NoAddPrinter"=0
"NoPrinterTabs"=0
"PromptRunasInstallNetPath"=1
"MemCheckBoxInRunDlg"=1
"DisallowCpl"=1
"NoThumbnailCache"=1
"ForceStartMenuLogOff"=1
"NoResolveSearch"=1
"NoResolveTrack"=1
"GreyMSIAds"=1
"NoRecentDocsNetHood"=1
"DisablePersonalDirChange"=1
"NoDesktopCleanupWizard"=1
"NoWelcomeScreen"=1
"NoAutoUpdate"=1
"StartRunNoHOMEPATH"=1
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"NoDesktop"=0
"NoFind"=0
"NoRun"=0
"NoSetActiveDesktop"=0
"NoWindowsUpdate"=0
"NoFolderOptions"=0
"NoClose"=0
"NoSetFolders"=0
"NoTrayContextMenu"=0
"NoViewContextMenu"=0
"EnforceShellExtensionSecurity"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoPublishingWizard"=
"NoWebServices"=
"NoOnlinePrintsWizard"=
"NoWelcomeScreen"=
"NoMSAppLogo5ChannelNotify"=
"NoDriveAutoRun"=
"NoToolbarCustomize"=
"NoBandCustomize"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\WINNT\TEMP\down.exe"="C:\WINNT\TEMP\down.exe:*:Enabled:Microsoft Windows Update Platform"
"C:\WINNT\system32\yt8a.exe"="C:\WINNT\system32\yt8a.exe:*:Enabled:Microsoft Windows Update Platform"
"C:\WINNT\system32\1024\SVCHOST.EXE"="C:\WINNT\system32\1024\SVCHOST.EXE:*:Enabled:SVCHOST.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\ypager.exe"="C:\Program Files\Yahoo!\Messenger\ypager.exe:*:Enabled:Yahoo! Messenger"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.js - edit -
.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-11-09 12:31:50 ----A---- C:\WINNT\system32\mywfhit.ini.tmp
2008-11-09 12:31:47 ----A---- C:\WINNT\system32\fhattach.dll
2008-11-09 12:31:46 ----SHD---- C:\window
2008-11-09 12:31:43 ----A---- C:\WINNT\system32\IPHACTION.dll
2008-11-09 12:31:38 ----A---- C:\WINNT\system32\IpSvchostF.dll
2008-11-09 12:31:35 ----A---- C:\WINNT\system32\iphy.dll
2008-11-09 12:31:35 ----A---- C:\WINNT\system32\IPHOST.dll
2008-11-09 12:31:35 ----A---- C:\WINNT\system32\fhpatch.dll
2008-11-09 12:31:35 ----A---- C:\WINNT\system32\_proxy.dll
2008-11-06 20:56:16 ----A---- C:\WINNT\dcbdcatys32_081027a.dll
2008-10-30 07:43:16 ----A---- C:\WINNT\wftadfi16_081027a.dll
2008-10-26 08:42:34 ----D---- C:\WINNT\system32\1024
2008-10-25 09:04:51 ----SH---- C:\WINNT\system32\yt8a.exe
2008-10-22 17:02:52 ----AH---- C:\WINNT\system32\adubes.dll
2008-10-21 10:00:22 ----D---- C:\Documents and Settings\cav.bal\Application Data\skypePM
2008-10-21 09:56:00 ----D---- C:\Documents and Settings\cav.bal\Application Data\Skype
2008-10-21 09:55:34 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-10-21 09:55:20 ----D---- C:\Program Files\Google
2008-10-21 09:54:55 ----D---- C:\Program Files\Skype
2008-10-21 09:54:54 ----D---- C:\Program Files\Common Files\Skype
2008-10-21 09:54:31 ----D---- C:\Documents and Settings\All Users\Application Data\Skype

======List of files/folders modified in the last 1 months======

2008-11-09 14:01:21 ----AD---- C:\WINNT\system32
2008-11-09 14:00:39 ----D---- C:\WINNT\TEMP
2008-11-09 12:51:58 ----D---- C:\WINNT\Prefetch
2008-11-09 12:48:22 ----D---- C:\WINNT\system32\CatRoot2
2008-11-09 12:48:14 ----A---- C:\WINNT\tawisys.ini
2008-11-09 12:46:47 ----SHD---- C:\WINNT\CSC
2008-11-09 12:40:55 ----SHD---- C:\WINNT\Installer
2008-11-09 12:31:50 ----A---- C:\WINNT\system32\mywfhit.ini
2008-11-09 12:31:37 ----A---- C:\WINNT\system32\svchost.exe
2008-11-06 21:04:37 ----A---- C:\WINNT\system32\PerfStringBackup.INI
2008-11-06 20:56:16 ----D---- C:\WINNT\system32\inf
2008-11-06 20:49:30 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-06 20:48:25 ----D---- C:\Program Files\SpywareBlaster
2008-11-05 21:03:29 ----D---- C:\Program Files\SpywareGuard
2008-11-05 20:56:36 ----SHD---- C:\Config.Msi
2008-10-30 07:43:27 ----D---- C:\WINNT\system
2008-10-26 22:32:15 ----A---- C:\WINNT\ModemLog_Agere Systems AC'97 Modem.txt
2008-10-24 13:47:09 ----AD---- C:\Program Files
2008-10-23 13:53:12 ----D---- C:\WINNT\Help
2008-10-21 13:26:30 ----D---- C:\Documents and Settings\cav.bal\Application Data\Google
2008-10-21 09:54:54 ----AD---- C:\Program Files\Common Files
2008-10-21 09:51:24 ----D---- C:\users
2008-10-10 15:35:52 ----D---- C:\WINNT\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINNT\system32\drivers\AFS2K.sys [2006-03-15 82380]
R1 intelppm;Intel Processor Driver; C:\WINNT\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R2 irda;IrDA Protocol; C:\WINNT\System32\DRIVERS\irda.sys [2004-08-03 87424]
R2 Stltrk2k;Stltrk2k; C:\WINNT\system32\drivers\Stltrk2k.sys [2002-01-24 13545]
R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\OfficeScan NT\TmXPFlt.sys []
R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\OfficeScan NT\TmPreFlt.sys []
R2 usbdisk;usbdisk; \??\C:\WINNT\system32\usbdisk.sys []
R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\OfficeScan NT\VSApiNt.sys []
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINNT\system32\drivers\ialmsbw.sys [2003-02-15 109344]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINNT\system32\drivers\ialmkchw.sys [2003-02-15 78336]
R3 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011; C:\WINNT\system32\drivers\wA301a.sys [2003-02-15 32311]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINNT\System32\DRIVERS\AGRSM.sys [2002-11-22 1157856]
R3 Aldebaran;Aldebaran - SCSI Command Filters; C:\WINNT\System32\Drivers\Aldebaran.sys [2004-02-11 21808]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINNT\System32\DRIVERS\Apfiltr.sys [2002-01-17 56573]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINNT\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 FUJ02B1;Fujitsu FUJ02B1 Device Driver; C:\WINNT\System32\DRIVERS\FUJ02B1.sys [2001-08-01 5248]
R3 ialm;ialm; C:\WINNT\System32\DRIVERS\ialmnt5.sys [2003-02-15 89371]
R3 O2SCBUS;O2Micro SmartCardBus Reader; C:\WINNT\System32\DRIVERS\ozscr.sys [2004-08-25 92015]
R3 Rasirda;WAN Miniport (IrDA); C:\WINNT\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINNT\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINNT\System32\DRIVERS\smcirda.sys [2001-08-17 35913]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINNT\system32\drivers\STAC97.sys [2003-01-17 202480]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbehci.sys [2005-03-31 27008]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows XP; C:\WINNT\System32\DRIVERS\w70n51.sys [2006-07-13 674560]
S1 kbdhid;Keyboard HID Driver; C:\WINNT\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 BrScnUsb;Brother USB Still Image driver; C:\WINNT\system32\DRIVERS\BrScnUsb.sys [2004-10-15 15295]
S3 gmer;gmer; C:\WINNT\System32\DRIVERS\gmer.sys [2006-01-09 85969]
S3 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\System32\DRIVERS\HPZid412.sys [2003-05-14 51056]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\System32\DRIVERS\HPZipr12.sys [2003-05-14 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\System32\DRIVERS\HPZius12.sys [2003-05-14 21488]
S3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSIRCOMM;Microsoft IR Communications Driver; C:\WINNT\System32\DRIVERS\MSIRCOMM.sys [2004-08-03 22016]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINNT\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 U81xbus;LGE U8XXX driver (WDM); C:\WINNT\System32\DRIVERS\U81xbus.sys [2004-08-19 52352]
S3 U81xmdfl;LGE U8XXX USB WMC Modem Filter; C:\WINNT\System32\DRIVERS\U81xmdfl.sys [2004-08-19 6064]
S3 U81xmdm;LGE U8XXX USB WMC Modem Driver; C:\WINNT\System32\DRIVERS\U81xmdm.sys [2004-08-19 84480]
S3 U81xmgmt;LGE U8XXX USB WMC Device Management Drivers (WDM); C:\WINNT\System32\DRIVERS\U81xmgmt.sys [2004-08-19 77472]
S3 U81xobex;LGE U8XXX USB WMC OBEX Interface; C:\WINNT\System32\DRIVERS\U81xobex.sys [2004-08-19 75456]
S3 usbaudio;USB Audio Driver (WDM); C:\WINNT\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINNT\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINNT\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 w800bus;Sony Ericsson W800 driver (WDM); C:\WINNT\system32\DRIVERS\w800bus.sys [2005-05-24 52384]
S3 w800mdfl;Sony Ericsson W800 USB WMC Modem Filter; C:\WINNT\system32\DRIVERS\w800mdfl.sys [2005-05-24 6096]
S3 w800mdm;Sony Ericsson W800 USB WMC Modem Drivers; C:\WINNT\system32\DRIVERS\w800mdm.sys [2005-05-24 87424]
S3 w800mgmt;Sony Ericsson W800 USB WMC Device Management Drivers; C:\WINNT\system32\DRIVERS\w800mgmt.sys [2005-05-24 79216]
S3 w800obex;Sony Ericsson W800 USB WMC OBEX Interface Drivers; C:\WINNT\system32\DRIVERS\w800obex.sys [2005-05-24 77040]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 afisicx;afisicx Service; C:\WINNT\system32\afisicx.exe [2001-08-23 45056]
R2 CBBS;CAT Bulletin Board; C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe [2002-06-20 65536]
R2 ipxlauncher;Ipx/ip Service; c:\window\svchost.exe [2008-11-09 196608]
R2 Irmon;Infrared Monitor; C:\WINNT\System32\svchost.exe [2008-11-09 14336]
R2 mabidwe;mabidwe Service; C:\WINNT\system32\mabidwe.exe [2001-08-23 46592]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R2 mgsdl;ManageSoft Peer-to-Peer Download Service; C:\Program Files\ManageSoft\Launcher\mgsdl.exe [2006-07-27 1286144]
R2 ndGlobalLauncher;ManageSoft installation agent; C:\Program Files\ManageSoft\Launcher\ndserv.exe [2006-07-27 2539520]
R2 ndinit;ManageSoft managed device; C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe [2006-07-27 655360]
R2 noytcyr;noytcyr Service; C:\WINNT\system32\noytcyr.exe [2001-08-23 46080]
R2 ntrtscan;OfficeScanNT RealTime Scan; C:\Program Files\OfficeScan NT\ntrtscan.exe [2007-01-08 503808]
R2 openFT FTNEA;openFT Server; C:\Program Files\openFT\bin\NEACTRLS.EXE [2002-07-09 253952]
R2 openFT Security Server;openFT Security Server; C:\Program Files\openFT\bin\SECSERV.EXE [2002-07-09 86016]
R2 roytctm;roytctm Service; C:\WINNT\system32\roytctm.exe [2001-08-23 45056]
R2 soxpeca;soxpeca Service; C:\WINNT\system32\soxpeca.exe [2001-08-23 46592]
R2 tdydowkc;tdydowkc Service; C:\WINNT\system32\tdydowkc.exe [2001-08-23 46592]
R2 tmlisten;OfficeScanNT Listener; C:\Program Files\OfficeScan NT\tmlisten.exe [2007-02-06 622680]
R2 wsldoekd;wsldoekd Service; C:\WINNT\system32\wsldoekd.exe [2001-08-23 46080]
S2 CatSystemSvc;CatSystem; C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe [2006-05-02 439808]
S2 seiuctol;Security Control; C:\WINNT\system32\adubes.dll [2008-10-22 15872]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 DWMRCS;DameWare Mini Remote Control; -C:\WINNT\SYSTEM32\DWRCS.EXE -service []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2005-08-01 68096]
S3 MsDtsServer;SQL Server Integration Services; C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
S3 msftesql;SQL Server FullText Search (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
S3 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
S3 MSSQLSERVER;SQL Server (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
S3 MSSQLServerOLAPService;SQL Server Analysis Services (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\System32\HPZipm12.exe [2003-05-14 65795]
S3 SQLSERVERAGENT;SQL Server Agent (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 318680]
S3 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2005-10-14 87768]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 OfcPfwSvc;OfficeScanNT Personal Firewall; C:\Program Files\OfficeScan NT\OfcPfwSvc.exe [2007-01-08 233552]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2005-10-14 239320]

-----------------EOF-----------------

I have attached the gmer.txt file along with this post. Unfortunately I lost the info.txt file before I could save it.

Please let me know how I can get back my machine in working status.

Thanks,
jmash

Hello TSF Team,

Here is the info.txt file as attachment.

Thanks,
jmash
Attached Files
File Type: txt Gmer.txt (12.0 KB, 1 views)
File Type: txt info.txt (19.9 KB, 4 views)
Last edited by amateur; 11-09-2008 at 10:25 AM. Reason: merged two posts to retain 0-reply status
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-12-2008, 11:09 AM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Your hard drive is almost full. Having too little free space on your hard drive can compromise system performance.

Quote:
System drive C: has 5 GB (13%) free of 38 GB
I suggest you move pictures, music, etc. to an external drive or USB stick if you have one and uninstall any programs that are never or hardly ever used.

------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  • Double-click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log

If you have any questions along the way...STOP and ask them before proceeding.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-13-2008, 05:10 AM   #3 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Dear Chemist,

Where do I download HijackThis.exe? You have mentioned the link to download combofix but not for Hijackthis? Is RSIT.exe same as Hijackthis.exe?

I will run ComboFix in the meanwhile and provide you with the log.

Many thanks,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-13-2008, 06:05 AM   #4 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Dear Chemist,

Please let me know how to download and run HijackThis.

After I ran ComboFix it restarted the machine and then I had to end some of the scanner softwares from task manager because the ComboFix was running after restart. So I am not sure if the following log is valid. Please check.

Meanwhile here is the ComboFix.txt:


ComboFix 08-11-11.01 - Cav.Bal 2008-11-13 12:23:40.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.136 [GMT 0:00]
Running from: c:\documents and settings\Cav.bal\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\winnt\system32\adubes.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\BMf33cb4e5.txt
c:\winnt\BMf33cb4e5.xml
c:\winnt\dcbdcatys32_081027a.dll
c:\winnt\IE4 Error Log.txt
c:\winnt\Install.txt
c:\winnt\system\sgcxcxxaspf081027.exe
c:\winnt\system32\_proxy.dll
c:\winnt\system32\adubes.dll.vir
c:\winnt\system32\afisicx.exe
c:\winnt\system32\comsa32.sys
c:\winnt\system32\fhattach.dll
c:\winnt\system32\fhpatch.dll
c:\winnt\system32\inf\scsys16_081027.dll
c:\winnt\system32\inf\sppdcrs081027.scr
c:\winnt\system32\inf\svchoct.exe
c:\winnt\system32\IPHACTION.dll
c:\winnt\system32\IPHOST.dll
c:\winnt\system32\iphy.dll
c:\winnt\system32\IpSvchostF.dll
c:\winnt\system32\mabidwe.exe
c:\winnt\system32\MegasearchBarSetup.dlltmp
c:\winnt\system32\MSINET.oca
c:\winnt\system32\mywfhit.ini
c:\winnt\system32\mywfhit.ini.tmp
c:\winnt\system32\noytcyr.exe
c:\winnt\system32\roytctm.exe
c:\winnt\system32\soxpeca.exe
c:\winnt\system32\tdydowkc.exe
c:\winnt\system32\tmp0_644666688371.bk
c:\winnt\system32\tpszxyd.sys
c:\winnt\system32\wsldoekd.exe
c:\winnt\tawisys.ini
c:\winnt\wftadfi16_081027a.dll

Infected copy of c:\winnt\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\winnt\system32\dllcache\spoolsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SEIUCTOL
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_seiuctol
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-12 15:15 . 2008-11-12 21:53 <DIR> d-------- c:\program files\Visual CertExam Suite
2008-11-10 18:51 . 2008-11-10 18:51 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-10 17:52 . 2008-11-13 12:47 54,156 --ah----- c:\winnt\QTFont.qfn
2008-11-10 17:52 . 2008-11-13 12:33 1,409 --a------ c:\winnt\QTFont.for
2008-11-10 17:51 . 2008-11-10 17:51 21,504 --a------ c:\winnt\system32\2.8-Install.exe
2008-11-10 17:40 . 2008-11-10 17:40 <DIR> d-------- c:\documents and settings\All Users\~Backup
2008-11-09 12:31 . 2008-11-09 12:31 <DIR> d--hs---- C:\window
2008-10-26 08:42 . 2008-11-06 11:32 <DIR> d-------- c:\winnt\system32\1024
2008-10-26 08:42 . 2008-10-26 08:42 108,336 --a------ c:\winnt\system32\MSWINSCK.OCX
2008-10-25 09:04 . 2008-10-25 09:04 68,832 ---hs---- c:\winnt\system32\yt8a.exe
2008-10-21 10:00 . 2008-11-13 08:04 <DIR> d-------- c:\documents and settings\Cav.bal\Application Data\skypePM
2008-10-21 10:00 . 2008-10-21 10:00 56 --ah----- c:\winnt\system32\ezsidmv.dat
2008-10-21 09:56 . 2008-11-13 11:59 <DIR> d-------- c:\documents and settings\Cav.bal\Application Data\Skype
2008-10-21 09:55 . 2008-11-05 20:56 <DIR> d-------- c:\program files\Google
2008-10-21 09:54 . 2008-10-21 09:55 <DIR> d-------- c:\program files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\program files\Common Files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 12:38 --------- d-----w c:\program files\OfficeScan NT
2008-11-12 15:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 20:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 20:48 --------- d-----w c:\program files\SpywareBlaster
2008-11-05 21:03 --------- d-----w c:\program files\SpywareGuard
2008-10-06 09:04 201 ---ha-w c:\documents and settings\Cav.bal\Application Data\hpothb07.dat
2008-10-06 09:03 172 ---ha-w c:\documents and settings\Anthony.D.Roberts\hpothb07.dat
2008-10-06 09:03 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2006-02-13 16:20 32,064 ----a-w c:\documents and settings\Cav.bal\Application Data\GDIPFONTCACHEV1.DAT
2005-04-26 08:48 57,344 ----a-w c:\program files\internet explorer\plugins\PluginWrapper.dll
2007-04-17 20:42 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007041720070418\index.dat
.
c:\winnt\system32\svchost.exe ... Infected -- Win32.Qhost !!


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CatUserRun"="exec32" [X]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2003-07-17 114688]
"Synchronization Manager"="c:\winnt\system32\mobsync.exe" [2004-08-04 143360]
"NeroCheck"="c:\program files\Ahead\\Nero\NeroCheck.exe" [2001-07-09 155648]
"DirXconnect settings"="c:\\PROGRA~1\Sie\DIRXDI~1\dxdSetup.exe" [2000-03-21 106561]
"OfficeScanNT Monitor"="c:\program files\OfficeScan NT\pccntmon.exe" [2007-01-08 356429]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-07 77824]
"Java Profiles Fix"="c:\program files\Java\Profile Fix\Java_Profile.exe" [2003-04-30 32768]
"JavaProfileFix2"="c:\program files\Java\Profile Fix\Java_Profile_2.exe" [2004-03-04 36864]
"SIECACST"="c:\program files\Sie\Card API\bin\siecacst.exe" [2005-02-01 45056]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2005-11-10 212992]
"JavaProfileFix3"="c:\program files\Java\Profile Fix\JAVA_Fix 3.exe" [2005-12-06 53248]
"Migrator"="c:\program files\CryptoEx\Migrator\Migrator.exe" [2004-10-26 290816]
"CryptoExTrayV3"="c:\program files\CryptoEx\Common\CexTray.exe" [2005-03-01 909312]
"SchedulingAgent_nDG"="c:\program files\ManageSoft\Schedule Agent\ndschedag.exe" [2006-07-27 1183744]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-01-09 77824]
"yt8a"="c:\winnt\system32\yt8a.exe" [2008-10-25 68832]

c:\documents and settings\Cav.bal\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"MaxGPOScriptWait"= 1800 (0x708)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"EnableProfileQuota"= 1 (0x1)
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"= 10240 (0x2800)
"WarnUserTimeout"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)
"EnforceShellExtensionSecurity"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSetActiveDesktop"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="SGPro.exe /shell"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CexTrayWinLogon]
2005-01-26 12:25 57344 c:\program files\CryptoEx\Common\CexTrayWinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=CBEShutdown.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\1\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=catstart.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\GB001.Sie.net\sysvol\GB001.Sie.net\scripts\CatPC\CAT Basic Environment\Setup\Setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=DeployCentennialAgent.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-1152\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-31563\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-34625\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-450047656-3918250416-1063027673-500\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\yt8a.exe"=


*Newly Created Service* - MACROMEDIA_LICENSING_SERVICE
*Newly Created Service* - NTRTSCAN
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Cav.bal\Application Data\Mozilla\Firefox\Profiles\r3vgz5qw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 12:44:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Cav.bal\Application Data\skypePM\2008-11-09-1.ezlog 62712 bytes
c:\documents and settings\Cav.bal\Application Data\skypePM\2008-11-10-2.ezlog 39080 bytes
c:\documents and settings\Cav.bal\Application Data\skypePM\2008-11-11-0.ezlog 8896 bytes
c:\documents and settings\Cav.bal\Application Data\skypePM\2008-11-11-1.ezlog 8896 bytes

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\scardsvr.exe
c:\program files\Sie\CAT Bulletin Board\CBBS.exe
c:\window\svchost.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\program files\ManageSoft\Launcher\mgsdl.exe
c:\winnt\system32\mnmsrvc.exe
c:\program files\ManageSoft\Launcher\ndserv.exe
c:\winnt\system32\rundll32.exe
c:\program files\ManageSoft\Schedule Agent\ndinit.exe
c:\program files\openft\bin\secserv.exe
c:\program files\OfficeScan NT\tmlisten.exe
c:\program files\ManageSoft\Schedule Agent\ndtask.exe
c:\program files\openft\bin\neactrls.exe
c:\winnt\TEMP\JEFAEB.EXE
c:\program files\Sie\CAT Bulletin Board\CBB.exe
c:\program files\RightFax\FaxCtrl.exe
c:\program files\CryptoEx\Common\EASServer.exe
c:\program files\ManageSoft\Schedule Agent\ndtask.exe
c:\program files\OfficeScan NT\POP3Trap.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\winnt\system32\taskmgr.exe
c:\program files\OfficeScan NT\ntrtscan.exe
.
**************************************************************************
.
Completion time: 2008-11-13 13:00:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-13 13:00:39

Pre-Run: 4,182,388,736 bytes free
Post-Run: 5,090,881,536 bytes free

313





Thanks,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-13-2008, 09:16 AM   #5 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Hello jmash.

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please read this: When should I re-format? How should I reinstall?

------------------------------------------------------

If you decide to reformat, stop now and let me know.

If you wish to continue to try to clean this computer, please do the following:

HijackThis is already on your system. RSIT renamed it to Cav.Bal.exe

Go Start > Run and copy/paste the following into the Run box and click OK:

C:\users\Mah\software\Cav.Bal.exe

Click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
vfind -ltf "%systemdrive%\svchost.exe" >log.txt
notepad log.txt
del peek.bat
Save this as peek.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-13-2008, 02:58 PM   #6 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Hello Chemist,

I wish to clean this system and have taken some of your suggested actions.

I have run both the Hijackthis.exe and peek.bat as per yoru request and they are as two sections below:

Section A : Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47, on 2008-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
c:\window\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ManageSoft\Launcher\mgsdl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\Program Files\openFT\bin\SECSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\openFT\bin\NEACTRLS.EXE
C:\WINNT\TEMP\JEFAEB.EXE
C:\Program Files\Sie\CAT Bulletin Board\CBB.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Sie\Card API\bin\siecacst.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\CryptoEx\common\CexTray.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OfficeScan NT\Pop3Trap.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\explorer.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe
C:\users\mah\Projects\TestProvider\TestProvider\WindowsApplication1\bin\Debug\WindowsApplication1.vshost.exe
C:\users\mah\software\cav.bal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pacs.erl.sbs.de/sbs.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.Sie.net:80;https=mddmproxy.gb001.Sie.net:80;ftp=mddmproxy.gb001.Sie.net:80;gopher=localhost:1;socks=proxy1.sbs.Sie.co.uk:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.Sie.net;*.Sie.de;<local>
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\Sie\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Sie\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [JavaProfileFix3] "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe"
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [yt8a] C:\WINNT\system32\yt8a.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/members/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O17 - HKLM\Software\..\Telephony: DomainName = GB001.Sie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: CatSystem (CatSystemSvc) - Sie AG - C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - -C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipx/ip Service (ipxlauncher) - Unknown owner - c:\window\svchost.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
O23 - Service: openFT Server (openFT FTNEA) - Sie Computers GmbH - C:\Program Files\openFT\bin\NEACTRLS.EXE
O23 - Service: openFT Security Server - Sie Computers GmbH - C:\Program Files\openFT\bin\SECSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

--
End of file - 9504 bytes




Section B : peek.bat log

--sh--w 196,608 2008-11-09 12:31:43 C:\window\svchost.exe
------w 14,336 2004-08-03 23:56:58 C:\WINNT\ServicePackFiles\i386\svchost.exe
----a-w 14,336 2004-08-03 23:56:58 C:\WINNT\system32\svchost.exe
-c--a-w 14,336 2004-08-03 23:56:58 C:\WINNT\system32\dllcache\svchost.exe


Thanks,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-13-2008, 03:31 PM   #7 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    C:\WINNT\system32\svchost.exe

  • Then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.
  • Please repeat for the following files:

    • C:\WINNT\system32\dllcache\svchost.exe
    • C:\WINNT\ServicePackFiles\i386\svchost.exe
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-13-2008, 03:58 PM   #8 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Hello Chemist,

Result of C:\WINNT\system32\svchost.exe:
Antivirus Version Last Update Result
AhnLab-V3 2008.11.14.0 2008.11.13 -
AntiVir 7.9.0.31 2008.11.13 -
Authentium 5.1.0.4 2008.11.13 -
Avast 4.8.1248.0 2008.11.13 -
AVG 8.0.0.199 2008.11.13 -
BitDefender 7.2 2008.11.13 -
CAT-QuickHeal 10.00 2008.11.13 -
ClamAV 0.94.1 2008.11.13 -
DrWeb 4.44.0.09170 2008.11.13 -
eSafe 7.0.17.0 2008.11.13 -
eTrust-Vet 31.6.6204 2008.11.11 -
Ewido 4.0 2008.11.13 -
F-Prot 4.4.4.56 2008.11.13 -
F-Secure 8.0.14332.0 2008.11.13 -
Fortinet 3.117.0.0 2008.11.13 -
GData 19 2008.11.13 -
Ikarus T3.1.1.45.0 2008.11.13 -
K7AntiVirus 7.10.524 2008.11.13 -
Kaspersky 7.0.0.125 2008.11.13 -
McAfee 5433 2008.11.13 -
Microsoft 1.4104 2008.11.13 -
NOD32 3612 2008.11.13 -
Norman 5.80.02 2008.11.13 -
Panda 9.0.0.4 2008.11.13 -
PCTools 4.4.2.0 2008.11.13 -
Prevx1 V2 2008.11.13 -
Rising 21.03.31.00 2008.11.13 -
SecureWeb-Gateway 6.7.6 2008.11.13 -
Sophos 4.35.0 2008.11.13 -
Sunbelt 3.1.1785.2 2008.11.11 -
Symantec 10 2008.11.13 -
TheHacker 6.3.1.1.151 2008.11.13 -
TrendMicro 8.700.0.1004 2008.11.13 -
VBA32 3.12.8.9 2008.11.13 -
ViRobot 2008.11.13.1466 2008.11.13 -
VirusBuster 4.5.11.0 2008.11.13 -
Additional information
File size: 14336 bytes
MD5...: 8f078ae4ed187aaabc0a305146de6716
SHA1..: da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
SHA512: 2f82c39b6c151d52cba42357e867910732a930a6055f6a1506d20c1044e88e6f
2cc2027a291c2ab98e21c2b35c2a957c3f5034bf975527001d927c5504776105
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002509
timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.a...0a305146de6716



Result of C:\WINNT\system32\dllcache\svchost.exe :

Antivirus Version Last Update Result
AhnLab-V3 2008.11.14.0 2008.11.13 -
AntiVir 7.9.0.31 2008.11.13 -
Authentium 5.1.0.4 2008.11.13 -
Avast 4.8.1248.0 2008.11.13 -
AVG 8.0.0.199 2008.11.13 -
BitDefender 7.2 2008.11.13 -
CAT-QuickHeal 10.00 2008.11.13 -
ClamAV 0.94.1 2008.11.13 -
DrWeb 4.44.0.09170 2008.11.13 -
eSafe 7.0.17.0 2008.11.13 -
eTrust-Vet 31.6.6204 2008.11.11 -
Ewido 4.0 2008.11.13 -
F-Prot 4.4.4.56 2008.11.13 -
F-Secure 8.0.14332.0 2008.11.13 -
Fortinet 3.117.0.0 2008.11.13 -
GData 19 2008.11.13 -
Ikarus T3.1.1.45.0 2008.11.13 -
K7AntiVirus 7.10.524 2008.11.13 -
Kaspersky 7.0.0.125 2008.11.13 -
McAfee 5433 2008.11.13 -
Microsoft 1.4104 2008.11.13 -
NOD32 3612 2008.11.13 -
Norman 5.80.02 2008.11.13 -
Panda 9.0.0.4 2008.11.13 -
PCTools 4.4.2.0 2008.11.13 -
Prevx1 V2 2008.11.13 -
Rising 21.03.31.00 2008.11.13 -
SecureWeb-Gateway 6.7.6 2008.11.13 -
Sophos 4.35.0 2008.11.13 -
Sunbelt 3.1.1785.2 2008.11.11 -
Symantec 10 2008.11.13 -
TheHacker 6.3.1.1.151 2008.11.13 -
TrendMicro 8.700.0.1004 2008.11.13 -
VBA32 3.12.8.9 2008.11.13 -
ViRobot 2008.11.13.1466 2008.11.13 -
VirusBuster 4.5.11.0 2008.11.13 -
Additional information
File size: 14336 bytes
MD5...: 8f078ae4ed187aaabc0a305146de6716
SHA1..: da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
SHA512: 2f82c39b6c151d52cba42357e867910732a930a6055f6a1506d20c1044e88e6f
2cc2027a291c2ab98e21c2b35c2a957c3f5034bf975527001d927c5504776105
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002509
timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.a...0a305146de6716


Result of C:\WINNT\ServicePackFiles\i386\svchost.exe :

Antivirus Version Last Update Result
AhnLab-V3 2008.11.14.0 2008.11.13 -
AntiVir 7.9.0.31 2008.11.13 -
Authentium 5.1.0.4 2008.11.13 -
Avast 4.8.1248.0 2008.11.13 -
AVG 8.0.0.199 2008.11.13 -
BitDefender 7.2 2008.11.13 -
CAT-QuickHeal 10.00 2008.11.13 -
ClamAV 0.94.1 2008.11.13 -
DrWeb 4.44.0.09170 2008.11.13 -
eSafe 7.0.17.0 2008.11.13 -
eTrust-Vet 31.6.6208 2008.11.13 -
Ewido 4.0 2008.11.13 -
F-Prot 4.4.4.56 2008.11.13 -
F-Secure 8.0.14332.0 2008.11.13 -
Fortinet 3.117.0.0 2008.11.13 -
GData 19 2008.11.13 -
Ikarus T3.1.1.45.0 2008.11.13 -
K7AntiVirus 7.10.524 2008.11.13 -
Kaspersky 7.0.0.125 2008.11.13 -
McAfee 5433 2008.11.13 -
Microsoft 1.4104 2008.11.13 -
NOD32 3612 2008.11.13 -
Norman 5.80.02 2008.11.13 -
Panda 9.0.0.4 2008.11.13 -
PCTools 4.4.2.0 2008.11.13 -
Prevx1 V2 2008.11.13 -
Rising 21.03.31.00 2008.11.13 -
SecureWeb-Gateway 6.7.6 2008.11.13 -
Sophos 4.35.0 2008.11.13 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.13 -
TheHacker 6.3.1.1.152 2008.11.13 -
TrendMicro 8.700.0.1004 2008.11.13 -
VBA32 3.12.8.9 2008.11.13 -
ViRobot 2008.11.13.1466 2008.11.13 -
VirusBuster 4.5.11.0 2008.11.13 -
Additional information
File size: 14336 bytes
MD5...: 8f078ae4ed187aaabc0a305146de6716
SHA1..: da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
SHA512: 2f82c39b6c151d52cba42357e867910732a930a6055f6a1506d20c1044e88e6f
2cc2027a291c2ab98e21c2b35c2a957c3f5034bf975527001d927c5504776105
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002509
timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.a...0a305146de6716



Thanks,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-13-2008, 04:21 PM   #9 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Hello jmash.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Do you have Windows Automatic Updates disabled on purpose?

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
File::
c:\winnt\system32\yt8a.exe

Folder::
C:\window
c:\winnt\system32\1024

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yt8a"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\yt8a.exe"=-

FCopy::
C:\WINNT\system32\dllcache\svchost.exe | C:\WINNT\system32\svchost.exe
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please click Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-15-2008, 06:00 AM   #10 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Hello Chemist,

Auto Windows Update was probably mistakenly turned off or some virus turned it off.

Here are logs:

ComboFix.txt:
ComboFix 08-11-13.01 - cav.bal 2008-11-15 12:48:25.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.206 [GMT 0:00]
Running from: c:\documents and settings\cav.bal\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cav.bal\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\winnt\system32\yt8a.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\window
c:\window\svchost.exe
c:\winnt\system32\1024
c:\winnt\system32\yt8a.exe

.
--------------- FCopy ---------------

c:\winnt\system32\dllcache\svchost.exe --> c:\winnt\system32\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-12 15:15 . 2008-11-12 21:53 <DIR> d-------- c:\program files\Visual CertExam Suite
2008-11-10 18:51 . 2008-11-10 18:51 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-10 17:51 . 2008-11-10 17:51 21,504 --a------ c:\winnt\system32\2.8-Install.exe
2008-11-10 17:40 . 2008-11-10 17:40 <DIR> d-------- c:\documents and settings\All Users\~Backup
2008-10-26 08:42 . 2008-10-26 08:42 108,336 --a------ c:\winnt\system32\MSWINSCK.OCX
2008-10-21 10:00 . 2008-11-13 12:54 <DIR> d-------- c:\documents and settings\cav.bal\Application Data\skypePM
2008-10-21 10:00 . 2008-10-21 10:00 56 --ah----- c:\winnt\system32\ezsidmv.dat
2008-10-21 09:56 . 2008-11-13 12:55 <DIR> d-------- c:\documents and settings\cav.bal\Application Data\Skype
2008-10-21 09:55 . 2008-11-05 20:56 <DIR> d-------- c:\program files\Google
2008-10-21 09:54 . 2008-10-21 09:55 <DIR> d-------- c:\program files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\program files\Common Files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 12:59 --------- d-----w c:\program files\OfficeScan NT
2008-11-12 15:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 20:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 20:48 --------- d-----w c:\program files\SpywareBlaster
2008-11-05 21:03 --------- d-----w c:\program files\SpywareGuard
2008-10-06 09:04 201 ---ha-w c:\documents and settings\cav.bal\Application Data\hpothb07.dat
2008-10-06 09:03 172 ---ha-w c:\documents and settings\Anthony.D.Roberts\hpothb07.dat
2008-10-06 09:03 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2006-02-13 16:20 32,064 ----a-w c:\documents and settings\cav.bal\Application Data\GDIPFONTCACHEV1.DAT
2005-04-26 08:48 57,344 ----a-w c:\program files\internet explorer\plugins\PluginWrapper.dll
2007-04-17 20:42 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007041720070418\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CatUserRun"="exec32" [X]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2003-07-17 114688]
"Synchronization Manager"="c:\winnt\system32\mobsync.exe" [2004-08-04 143360]
"NeroCheck"="c:\program files\Ahead\\Nero\NeroCheck.exe" [2001-07-09 155648]
"DirXconnect settings"="c:\\PROGRA~1\Sie\DIRXDI~1\dxdSetup.exe" [2000-03-21 106561]
"OfficeScanNT Monitor"="c:\program files\OfficeScan NT\pccntmon.exe" [2007-01-08 356429]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-07 77824]
"Java Profiles Fix"="c:\program files\Java\Profile Fix\Java_Profile.exe" [2003-04-30 32768]
"JavaProfileFix2"="c:\program files\Java\Profile Fix\Java_Profile_2.exe" [2004-03-04 36864]
"SIECACST"="c:\program files\Sie\Card API\bin\siecacst.exe" [2005-02-01 45056]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2005-11-10 212992]
"JavaProfileFix3"="c:\program files\Java\Profile Fix\JAVA_Fix 3.exe" [2005-12-06 53248]
"Migrator"="c:\program files\CryptoEx\Migrator\Migrator.exe" [2004-10-26 290816]
"CryptoExTrayV3"="c:\program files\CryptoEx\Common\CexTray.exe" [2005-03-01 909312]
"SchedulingAgent_nDG"="c:\program files\ManageSoft\Schedule Agent\ndschedag.exe" [2006-07-27 1183744]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-01-09 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\GetFlash.exe" [2003-09-04 94208]

c:\documents and settings\cav.bal\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"MaxGPOScriptWait"= 1800 (0x708)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"EnableProfileQuota"= 1 (0x1)
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"= 10240 (0x2800)
"WarnUserTimeout"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)
"EnforceShellExtensionSecurity"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSetActiveDesktop"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="SGPro.exe /shell"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CexTrayWinLogon]
2005-01-26 12:25 57344 c:\program files\CryptoEx\Common\CexTrayWinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=CBEShutdown.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\1\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=catstart.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\GB001.Sie.net\sysvol\GB001.Sie.net\scripts\CatPC\CAT Basic Environment\Setup\Setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=DeployCentennialAgent.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-1152\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-31563\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-34625\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-450047656-3918250416-1063027673-500\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Achernar;Achernar - SCSI Command Filters;c:\winnt\system32\Drivers\Achernar.sys [2004-02-11 16855]
R2 CBBS;CAT Bulletin Board;c:\program files\Sie\CAT Bulletin Board\CBBS.exe [2002-06-20 65536]
R2 mgsdl;ManageSoft Peer-to-Peer Download Service;c:\program files\ManageSoft\Launcher\mgsdl.exe [2006-07-27 1286144]
R2 ndGlobalLauncher;ManageSoft installation agent;c:\program files\ManageSoft\Launcher\ndserv.exe [2006-07-27 2539520]
R2 ndinit;ManageSoft managed device;c:\program files\ManageSoft\Schedule Agent\ndinit.exe [2006-07-27 655360]
R2 openFT FTNEA;openFT Server;c:\program files\openFT\bin\NEACTRLS.EXE [2002-07-09 253952]
R2 openFT Security Server;openFT Security Server;c:\program files\openFT\bin\SECSERV.EXE [2002-07-09 86016]
R2 usbdisk;usbdisk;c:\winnt\system32\usbdisk.sys [2004-08-04 2176]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\winnt\system32\Drivers\Aldebaran.sys [2004-02-11 21808]
S2 CatSystemSvc;CatSystem;c:\winnt\CatPC\CATSYS\CatSystemSvc.exe [2006-05-02 439808]
S2 ipxlauncher;Ipx/ip Service;c:\window\svchost.exe [ ]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

*Newly Created Service* - MACROMEDIA_LICENSING_SERVICE
*Newly Created Service* - NTRTSCAN
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 12:54:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"
.
Completion time: 2008-11-15 12:58:53
ComboFix-quarantined-files.txt 2008-11-15 12:58:08
ComboFix2.txt 2008-11-13 13:30:33

Pre-Run: 4,471,468,032 bytes free
Post-Run: 4,482,707,456 bytes free

238



Hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04, on 2008-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ManageSoft\Launcher\mgsdl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\Program Files\openFT\bin\SECSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\openFT\bin\NEACTRLS.EXE
C:\Program Files\Sie\CAT Bulletin Board\CBB.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Sie\Card API\bin\siecacst.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\CryptoEx\common\CexTray.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OfficeScan NT\Pop3Trap.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\WINNT\TEMP\COFFF2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\users\mah\software\cav.bal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pacs.erl.sbs.de/sbs.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.Sie.net:80;https=mddmproxy.gb001.Sie.net:80;ftp=mddmproxy.gb001.Sie.net:80;gopher=localhost:1;socks=proxy1.sbs.Sie.co.uk:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.Sie.net;*.Sie.de;<local>
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\Sie\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Sie\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [JavaProfileFix3] "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe"
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1960408961-725345543-468838394-1152\..\Policies\Explorer\Run: [1] \\gb001.Sie.net\DFSRoot\NCIP_SBS\SBS\NT4 Printer Migration\MigrateClientPrinters.bat (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/members/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O17 - HKLM\Software\..\Telephony: DomainName = GB001.Sie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GB001.Sie.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: CatSystem (CatSystemSvc) - Sie AG - C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - -C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipx/ip Service (ipxlauncher) - Unknown owner - c:\window\svchost.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
O23 - Service: openFT Server (openFT FTNEA) - Sie Computers GmbH - C:\Program Files\openFT\bin\NEACTRLS.EXE
O23 - Service: openFT Security Server - Sie Computers GmbH - C:\Program Files\openFT\bin\SECSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

--
End of file - 9623 bytes


Thanks,
Mahesh
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-15-2008, 08:48 AM   #11 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Hello again, jmash. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
Driver::
ipxlauncher

Registry::
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"=dword:00000000

DirLook::
c:\documents and settings\All Users\~Backup

SkipFix::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please click Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 10 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click Continue
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and click on Add or Remove Programs
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u10-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
Kaspersky report
new HijackThis log
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 05:16 AM   #12 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Hello Chemist,

I was able to run ComboFix successfuly. Then installed Java Runtime Environment (JRE) 6 Update 10 and followed the steps to delete all the cache. Then I have run ATF successfully.

But I could not run Kaspersky Online Scanner as it cannot find the newly installed version of Java on my machine and hence the Accept button (is visible) but not enabled. I tried to stop all anti virus scans as well. Hence I am posting just my ComboFix.txt log here.
Pls. let me know how I can run Kaspersky?

System feedback: The system seems to be slightly better now. Some of the dirty popups seem to have disappeared now.

ComboFix.txt
ComboFix 08-11-14.01 - cav.bal 2008-11-16 10:44:10.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT 0:00]
Running from: c:\documents and settings\cav.bal\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cav.bal\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-12 15:15 . 2008-11-12 21:53 <DIR> d-------- c:\program files\Visual CertExam Suite
2008-11-10 18:51 . 2008-11-10 18:51 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-10 17:51 . 2008-11-10 17:51 21,504 --a------ c:\winnt\system32\2.8-Install.exe
2008-11-10 17:40 . 2008-11-10 17:40 <DIR> d-------- c:\documents and settings\All Users\~Backup
2008-10-26 08:42 . 2008-10-26 08:42 108,336 --a------ c:\winnt\system32\MSWINSCK.OCX
2008-10-21 10:00 . 2008-11-13 12:54 <DIR> d-------- c:\documents and settings\cav.bal\Application Data\skypePM
2008-10-21 10:00 . 2008-10-21 10:00 56 --ah----- c:\winnt\system32\ezsidmv.dat
2008-10-21 09:56 . 2008-11-13 12:55 <DIR> d-------- c:\documents and settings\cav.bal\Application Data\Skype
2008-10-21 09:55 . 2008-11-05 20:56 <DIR> d-------- c:\program files\Google
2008-10-21 09:54 . 2008-10-21 09:55 <DIR> d-------- c:\program files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\program files\Common Files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 12:59 --------- d-----w c:\program files\OfficeScan NT
2008-11-12 15:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 20:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 20:48 --------- d-----w c:\program files\SpywareBlaster
2008-11-05 21:03 --------- d-----w c:\program files\SpywareGuard
2008-10-06 09:04 201 ---ha-w c:\documents and settings\cav.bal\Application Data\hpothb07.dat
2008-10-06 09:03 172 ---ha-w c:\documents and settings\Anthony.D.Roberts\hpothb07.dat
2008-10-06 09:03 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2006-02-13 16:20 32,064 ----a-w c:\documents and settings\cav.bal\Application Data\GDIPFONTCACHEV1.DAT
2005-04-26 08:48 57,344 ----a-w c:\program files\internet explorer\plugins\PluginWrapper.dll
2007-04-17 20:42 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007041720070418\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\~Backup ----



((((((((((((((((((((((((((((( snapshot@2008-11-13_12.58.59.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-08 19:15:18 176,195 ----a-w c:\winnt\temp\COFFF2.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CatUserRun"="exec32" [X]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2003-07-17 114688]
"Synchronization Manager"="c:\winnt\system32\mobsync.exe" [2004-08-04 143360]
"NeroCheck"="c:\program files\Ahead\\Nero\NeroCheck.exe" [2001-07-09 155648]
"DirXconnect settings"="c:\\PROGRA~1\Sie\DIRXDI~1\dxdSetup.exe" [2000-03-21 106561]
"OfficeScanNT Monitor"="c:\program files\OfficeScan NT\pccntmon.exe" [2007-01-08 356429]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-07 77824]
"Java Profiles Fix"="c:\program files\Java\Profile Fix\Java_Profile.exe" [2003-04-30 32768]
"JavaProfileFix2"="c:\program files\Java\Profile Fix\Java_Profile_2.exe" [2004-03-04 36864]
"SIECACST"="c:\program files\Sie\Card API\bin\siecacst.exe" [2005-02-01 45056]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2005-11-10 212992]
"JavaProfileFix3"="c:\program files\Java\Profile Fix\JAVA_Fix 3.exe" [2005-12-06 53248]
"Migrator"="c:\program files\CryptoEx\Migrator\Migrator.exe" [2004-10-26 290816]
"CryptoExTrayV3"="c:\program files\CryptoEx\Common\CexTray.exe" [2005-03-01 909312]
"SchedulingAgent_nDG"="c:\program files\ManageSoft\Schedule Agent\ndschedag.exe" [2006-07-27 1183744]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-01-09 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\GetFlash.exe" [2003-09-04 94208]

c:\documents and settings\cav.bal\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"MaxGPOScriptWait"= 1800 (0x708)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"EnableProfileQuota"= 1 (0x1)
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"= 10240 (0x2800)
"WarnUserTimeout"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)
"EnforceShellExtensionSecurity"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSetActiveDesktop"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="SGPro.exe /shell"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CexTrayWinLogon]
2005-01-26 12:25 57344 c:\program files\CryptoEx\Common\CexTrayWinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=CBEShutdown.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\1\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=catstart.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\GB001.Sie.net\sysvol\GB001.Sie.net\scripts\CatPC\CAT Basic Environment\Setup\Setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=DeployCentennialAgent.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-1152\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-31563\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-34625\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-450047656-3918250416-1063027673-500\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Achernar;Achernar - SCSI Command Filters;c:\winnt\system32\Drivers\Achernar.sys [2006-03-15 16855]
R2 CBBS;CAT Bulletin Board;c:\program files\Sie\CAT Bulletin Board\CBBS.exe [2002-06-20 65536]
R2 mgsdl;ManageSoft Peer-to-Peer Download Service;"c:\program files\ManageSoft\Launcher\mgsdl.exe" [2006-07-27 1286144]
R2 ndGlobalLauncher;ManageSoft installation agent;"c:\program files\ManageSoft\Launcher\ndserv.exe" [2006-07-27 2539520]
R2 ndinit;ManageSoft managed device;"c:\program files\ManageSoft\Schedule Agent\ndinit.exe" [2006-07-27 655360]
R2 openFT FTNEA;openFT Server;"c:\program files\openFT\bin\NEACTRLS.EXE" [2003-11-12 253952]
R2 openFT Security Server;openFT Security Server;"c:\program files\openFT\bin\SECSERV.EXE" [2003-11-12 86016]
R2 usbdisk;usbdisk;\??\c:\winnt\system32\usbdisk.sys [2003-09-02 2176]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\winnt\system32\Drivers\Aldebaran.sys [2006-03-15 21808]
S2 CatSystemSvc;CatSystem;c:\winnt\CatPC\CATSYS\CatSystemSvc.exe [2005-06-17 439808]
S2 ipxlauncher;Ipx/ip Service;c:\window\svchost.exe []
S3 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

*Newly Created Service* - MACROMEDIA_LICENSING_SERVICE
*Newly Created Service* - NTRTSCAN
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 10:44:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

c:\winnt\explorer.exe [3444] 0x82BAEA10

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"
.
Completion time: 2008-11-16 10:53:55
ComboFix-quarantined-files.txt 2008-11-16 10:53:42
ComboFix2.txt 2008-11-15 12:58:55
ComboFix3.txt 2008-11-13 13:30:33

Pre-Run: 5,901,152,256 bytes free
Post-Run: 5,891,358,720 bytes free

235


Thanks,
Mahesh
Last edited by jmash; 11-16-2008 at 05:18 AM.
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 10:47 AM   #13 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Try this one instead:

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install.
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked.
  • Click Scan
  • Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 12:56 PM   #14 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Hi Chemist,

The system seems to be bevahing to good extent now. But the internet explorers take whole of memory in task manager when I try to browse any url and it comes back after few seconds. Not sure if this is relate to malware problem we are trying to solve.

Here are the logs:
1. Eset log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3615 (20081115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=274cdda0194f2d4fa1af0c1ec2632a00
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2004-11-16 11:36:23
# local_time=2004-11-16 11:36:23 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=592536
# found=59
# scan_time=7110
C:\Qoobox\Quarantine\C\window\svchost.exe.vir Win32/Delf.NRU trojan 3A8C747C9EDAA2789AA0F97E42047255
C:\Qoobox\Quarantine\C\WINNT\dcbdcatys32_081027a.dll.vir a variant of Win32/Spy.Pophot trojan 68EC8571B7A02CF22842D8DA07711B71
C:\Qoobox\Quarantine\C\WINNT\wftadfi16_081027a.dll.vir a variant of Win32/Spy.Pophot trojan F22FED737CAE20CB7F0C75A7253FDA52
C:\Qoobox\Quarantine\C\WINNT\system\sgcxcxxaspf081027.exe.vir a variant of Win32/Spy.Pophot trojan A500FEE0AD43471FAE584A476DA32C7A
C:\Qoobox\Quarantine\C\WINNT\system32\afisicx.exe.vir a variant of Win32/Adware.Coolezweb application 2FBB8B776ED0E07140D3C8A7CB89991D
C:\Qoobox\Quarantine\C\WINNT\system32\IPHOST.dll.vir Win32/Agent.YNL trojan 97D74E7CD95120A0AA1C6C920D55EF06
C:\Qoobox\Quarantine\C\WINNT\system32\noytcyr.exe.vir a variant of Win32/Adware.Coolezweb application ED720F520B1C6809F708AEB98A5861A4
C:\Qoobox\Quarantine\C\WINNT\system32\roytctm.exe.vir a variant of Win32/Adware.Coolezweb application 674B84D89833028517FAAD960FA2533E
C:\Qoobox\Quarantine\C\WINNT\system32\spoolsv.exe.vir probably a variant of Win32/TrojanDownloader.Agent.AFLS trojan C1B273114F984334AABB43A5E8A6FBC6
C:\Qoobox\Quarantine\C\WINNT\system32\_proxy.dll.vir Win32/Agent.YNL trojan 97D74E7CD95120A0AA1C6C920D55EF06
C:\Qoobox\Quarantine\C\WINNT\system32\inf\scsys16_081027.dll.vir a variant of Win32/Spy.Pophot trojan F22FED737CAE20CB7F0C75A7253FDA52
C:\Qoobox\Quarantine\C\WINNT\system32\inf\sppdcrs081027.scr.vir a variant of Win32/Spy.Pophot trojan A500FEE0AD43471FAE584A476DA32C7A
C:\temp\kopdl0544.exe multiple infiltrations 8AB51F35C127943834DFA07BA7ED7B95
C:\temp\kopdl0544.exe »NSIS »bmv35gui.exe Win32/TrojanDownloader.Small.BUY trojan 00000000000000000000000000000000
C:\temp\kopdl0544.exe »NSIS »retmwav3.exe Win32/TrojanDownloader.Small.IAW trojan 00000000000000000000000000000000
C:\temp\kopdl0544.exe »NSIS »cegmgr76.exe Win32/Adware.ZenoSearch application 00000000000000000000000000000000
C:\WINNT\CSC\d8\8000004F Win32/Adware.WinReanimator application 828A14150262A6A18A31B046AA350CA0
C:\WINNT\CSC\d8\8000004F »ZIP »WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\WINNT\system32\2.8-Install.exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\tmpxr_171181334020.bk a variant of Win32/Adware.Coolezweb application 163F0BCDCBF11FE86FB61E664FDC4B39
C:\WINNT\system32\tmpxr_195992756418.bk a variant of Win32/Adware.Coolezweb application 853614CE021CE4E0E11D99D6DF45F832
C:\WINNT\system32\tmpxr_205689303098.bk a variant of Win32/Adware.Coolezweb application BBE6CDAAF9717B481C2196462830FBAF
C:\WINNT\system32\tmpxr_23861349732.bk a variant of Win32/Adware.Coolezweb application D1AE54058AB715EF46214757448D0F1E
C:\WINNT\system32\tmpxr_282413342461.bk a variant of Win32/Adware.Coolezweb application 2B71088ACCB7834656E6FD594D05C69D
C:\WINNT\system32\tmpxr_356987149273.bk a variant of Win32/Adware.Coolezweb application 21EED78CB2BD68C5B03C3848C2A9AA53
C:\WINNT\system32\tmpxr_417120747761.bk Win32/Adware.Coolezweb application BEC5F07CDD2C52C8ECE0035081467743
C:\WINNT\system32\tmpxr_425936403528.bk a variant of Win32/Adware.Coolezweb application BBE6CDAAF9717B481C2196462830FBAF
C:\WINNT\system32\tmpxr_460012159609.bk a variant of Win32/Adware.Coolezweb application E00A71833991D6230974E81A7A86C356
C:\WINNT\system32\tmpxr_461285101735.bk a variant of Win32/Adware.Coolezweb application 30622C6FB6AADE86119D459154576BDE
C:\WINNT\system32\tmpxr_495990362066.bk a variant of Win32/Adware.Coolezweb application 070A8B879C4446DB6297C2C95DA6FA9F
C:\WINNT\system32\tmpxr_507946635869.bk a variant of Win32/Adware.Coolezweb application 48E44646132A3C8ACB5A6D7425000DDF
C:\WINNT\system32\tmpxr_537203219726.bk a variant of Win32/Adware.Coolezweb application 3083AAC7A0FA96198DCE380834054A79
C:\WINNT\system32\tmpxr_558510725087.bk a variant of Win32/Adware.Coolezweb application 3083AAC7A0FA96198DCE380834054A79
C:\WINNT\system32\tmpxr_62211495425.bk a variant of Win32/Adware.Coolezweb application 30622C6FB6AADE86119D459154576BDE
C:\WINNT\system32\tmpxr_6599531352.bk a variant of Win32/Adware.Coolezweb application ADC918C2DB7FFD808D48C2BC99E5F952
C:\WINNT\system32\tmpxr_676204822280.bk a variant of Win32/Adware.Coolezweb application 983CF12D541C9BB67C36EDD08FA9D109
C:\WINNT\system32\tmpxr_684689111763.bk a variant of Win32/Adware.Coolezweb application 2B71088ACCB7834656E6FD594D05C69D
C:\WINNT\system32\tmpxr_693103862995.bk a variant of Win32/Adware.Coolezweb application 21EED78CB2BD68C5B03C3848C2A9AA53
C:\WINNT\system32\tmpxr_699846558307.bk a variant of Win32/Adware.Coolezweb application 48E44646132A3C8ACB5A6D7425000DDF
C:\WINNT\system32\tmpxr_710829279225.bk a variant of Win32/Adware.Coolezweb application E00A71833991D6230974E81A7A86C356
C:\WINNT\system32\tmpxr_712273811668.bk a variant of Win32/Adware.Coolezweb application 4A01C090780BE7CCCFFEC7004637231C
C:\WINNT\system32\tmpxr_722079827962.bk a variant of Win32/Adware.Coolezweb application 4A01C090780BE7CCCFFEC7004637231C
C:\WINNT\system32\tmpxr_72936194152.bk Win32/Adware.Coolezweb application BEC5F07CDD2C52C8ECE0035081467743
C:\WINNT\system32\tmpxr_769476218194.bk a variant of Win32/Adware.Coolezweb application CD36BADE2BB2C98F9FEA497C09032BF2
C:\WINNT\system32\tmpxr_774126331392.bk a variant of Win32/Adware.Coolezweb application F910A95C0936D60DCA50C3F463B3504C
C:\WINNT\system32\tmpxr_779767628882.bk a variant of Win32/Adware.Coolezweb application 070A8B879C4446DB6297C2C95DA6FA9F
C:\WINNT\system32\tmpxr_792091519450.bk a variant of Win32/Adware.Coolezweb application CD36BADE2BB2C98F9FEA497C09032BF2
C:\WINNT\system32\tmpxr_817036450882.bk a variant of Win32/Adware.Coolezweb application 983CF12D541C9BB67C36EDD08FA9D109
C:\WINNT\system32\tmpxr_855838239784.bk a variant of Win32/Adware.Coolezweb application 6A319C395576EEAA4EA7F09FA6B422CC
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[1].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[2].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[3].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[4].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[5].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[1].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[2].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[3].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6AW3FHQC\Cracked[1].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONTJJMGN\system[1].exe a variant of Win32/Proxec.A trojan 0D35F8B9477AE77778869C7D3FCBCBA0


2. Hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:02, on 2004-11-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ManageSoft\Launcher\mgsdl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\openFT\bin\SECSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\openFT\bin\NEACTRLS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\NV1921.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Sie\CAT Bulletin Board\CBB.exe
C:\Program Files\Sie\Card API\bin\siecacst.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\OfficeScan NT\Pop3Trap.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\users\Mahesh\software\cav.bal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pacs.erl.sbs.de/sbs.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.Sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=localhost:1;socks=proxy1.sbs.sie.co.uk:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.sie.net;*.sie.de;<local>
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\SIE\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Sie\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1960408961-725345543-468838394-1152\..\Policies\Explorer\Run: [1] \\gb001.sie.net\DFSRoot\NCIP_SBS\SBS\NT4 Printer Migration\MigrateClientPrinters.bat (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/members/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\Software\..\Telephony: DomainName = GB001.sie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GB001.sie.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: CatSystem (CatSystemSvc) - Sie AG - C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - -C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipx/ip Service (ipxlauncher) - Unknown owner - c:\window\svchost.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: openFT Server (openFT FTNEA) - Sie Computers GmbH - C:\Program Files\openFT\bin\NEACTRLS.EXE
O23 - Service: openFT Security Server - Sie Computers GmbH - C:\Program Files\openFT\bin\SECSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

--
End of file - 10356 bytes


Thanks,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 03:13 PM   #15 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Quote:
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[1].exe
Have you been downloading cracks?

------------------------------------------------------

Are you sure you ran ATF-Cleaner? Even if you did, run it again using the instructions above in post #11.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc stop ipxlauncher

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete ipxlauncher

------------------------------------------------------

Please download DDS and Save it to your Desktop.
  • Disable any script blocking protection.
  • Double-click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click No at the next prompt for Optional Scan.
  • Save DDS.txt to your desktop and post it here for review.
------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\temp\kopdl0544.exe"
"C:\WINNT\CSC\d8\8000004F"
"C:\WINNT\system32\2.8-Install.exe"
"C:\WINNT\system32\tmpxr_171181334020.bk"
"C:\WINNT\system32\tmpxr_195992756418.bk"
"C:\WINNT\system32\tmpxr_205689303098.bk"
"C:\WINNT\system32\tmpxr_23861349732.bk"
"C:\WINNT\system32\tmpxr_282413342461.bk"
"C:\WINNT\system32\tmpxr_356987149273.bk"
"C:\WINNT\system32\tmpxr_417120747761.bk"
"C:\WINNT\system32\tmpxr_425936403528.bk"
"C:\WINNT\system32\tmpxr_460012159609.bk"
"C:\WINNT\system32\tmpxr_461285101735.bk"
"C:\WINNT\system32\tmpxr_495990362066.bk"
"C:\WINNT\system32\tmpxr_507946635869.bk"
"C:\WINNT\system32\tmpxr_537203219726.bk"
"C:\WINNT\system32\tmpxr_558510725087.bk"
"C:\WINNT\system32\tmpxr_62211495425.bk"
"C:\WINNT\system32\tmpxr_6599531352.bk"
"C:\WINNT\system32\tmpxr_676204822280.bk"
"C:\WINNT\system32\tmpxr_684689111763.bk"
"C:\WINNT\system32\tmpxr_693103862995.bk"
"C:\WINNT\system32\tmpxr_699846558307.bk"
"C:\WINNT\system32\tmpxr_710829279225.bk"
"C:\WINNT\system32\tmpxr_712273811668.bk"
"C:\WINNT\system32\tmpxr_722079827962.bk"
"C:\WINNT\system32\tmpxr_72936194152.bk"
"C:\WINNT\system32\tmpxr_769476218194.bk"
"C:\WINNT\system32\tmpxr_774126331392.bk"
"C:\WINNT\system32\tmpxr_779767628882.bk"
"C:\WINNT\system32\tmpxr_792091519450.bk"
"C:\WINNT\system32\tmpxr_817036450882.bk"
"C:\WINNT\system32\tmpxr_855838239784.bk"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[1].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[2].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[3].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[4].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[5].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[1].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[2].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[3].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6AW3FHQC\Cracked[1].exe"
"C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONTJJMGN\system[1].exe"

) do (
del /a/f %%g >nul 2>and1
if exist %%g echo.%%g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 02:09 PM   #16 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Re: Unwanted popups and malware in the system
Hello Chemist,

Sorry I don't remember downloading any cracks recently.

I have run ATF-Cleaner again.

I have also run
sc stop ipxlauncher
and
sc delete ipxlauncher
as two command prompts.

And the fix.bat result is 'Successfully deleted'.

The DDS log is as follows:


DDS (Version 1.0) - NTFSx86
Run by Cav.Bal at 20:57:12.92 on 2008-11-18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.73 [GMT 0:00]

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ManageSoft\Launcher\mgsdl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\openFT\bin\SECSERV.EXE
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\openFT\bin\NEACTRLS.EXE
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\WINNT\TEMP\NV1921.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Sie\CAT Bulletin Board\CBB.exe
C:\Program Files\Sie\Card API\bin\siecacst.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\OfficeScan NT\Pop3Trap.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe
C:\Program Files\ManageSoft\Security Agent\SecurityAgent.exe
C:\Program Files\Microsoft Baseline Security Analyzer\OfficeUpd\convert.exe
C:\Documents and Settings\cav.bal\Desktop\dds.scr

============== Psuedo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.co.uk/ie
uInternet Settings,ProxyServer = http=mddmproxy.gb001.sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=localhost:1;socks=proxy1.sbs.sie.co.uk:1080
uInternet Settings,ProxyOverride = *.sitest.net;*.sie.net;*.sie.de;<local>
uWinlogon: Shell=SGPro.exe /shell
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {4A368E80-174F-4872-96B5-0B27DDD11DB2} - c:\program files\spywareguard\dlprotect.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [CatUserRun] exec32 /wh /c chgreg5 /c
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRunOnce: [FlashPlayerUpdate] c:\winnt\system32\macromed\flash\GetFlash.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\\FaxCtrl.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [NeroCheck] c:\program files\ahead\\nero\NeroCheck.exe
mRun: [DirXconnect settings] c:\\progra~1\sie\dirxdi~1\dxdSetup.exe -silent -dxcsettings
mRun: [OfficeScanNT Monitor] "c:\program files\officescan nt\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SIECACST] c:\program files\sie\card api\bin\siecacst.exe
mRun: [Discovery User Input] c:\discovery\user input\userin32.exe
mRun: [Migrator] "c:\program files\cryptoex\migrator\Migrator.exe" -StartUp
mRun: [CryptoExTrayV3] "c:\program files\cryptoex\common\CexTray.exe" /ShowTrayIcon
mRun: [SchedulingAgent_nDG] "c:\program files\managesoft\schedule agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\winnt\system32\macromed\flash\GetFlash.exe
StartupFolder: c:\docume~1\cavith~1.bal\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: Btn_Back = 0 (0x0)
uPolicies-explorer: Btn_Forward = 0 (0x0)
uPolicies-explorer: Btn_Stop = 0 (0x0)
uPolicies-explorer: Btn_Refresh = 0 (0x0)
uPolicies-explorer: Btn_Home = 0 (0x0)
uPolicies-explorer: Btn_Search = 0 (0x0)
uPolicies-explorer: Btn_History = 0 (0x0)
uPolicies-explorer: Btn_Favorites = 0 (0x0)
uPolicies-explorer: Btn_Media = 0 (0x0)
uPolicies-explorer: Btn_Folders = 0 (0x0)
uPolicies-explorer: Btn_Fullscreen = 0 (0x0)
uPolicies-explorer: Btn_Tools = 0 (0x0)
uPolicies-explorer: Btn_MailNews = 0 (0x0)
uPolicies-explorer: Btn_Size = 0 (0x0)
uPolicies-explorer: Btn_Print = 0 (0x0)
uPolicies-explorer: Btn_Edit = 0 (0x0)
uPolicies-explorer: Btn_Discussions = 0 (0x0)
uPolicies-explorer: Btn_Cut = 0 (0x0)
uPolicies-explorer: Btn_Copy = 0 (0x0)
uPolicies-explorer: Btn_Paste = 0 (0x0)
uPolicies-explorer: Btn_Encoding = 0 (0x0)
uPolicies-explorer: Btn_PrintPreview = 0 (0x0)
uPolicies-explorer: NoFavoritesMenu = 0 (0x0)
uPolicies-explorer: NoLogoff = 0 (0x0)
uPolicies-explorer: NoDeletePrinter = 0 (0x0)
uPolicies-explorer: NoAddPrinter = 0 (0x0)
uPolicies-explorer: NoPrinterTabs = 0 (0x0)
uPolicies-explorer: PromptRunasInstallNetPath = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoResolveSearch = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: StartRunNoHOMEPATH = 1 (0x1)
uPolicies-explorer: EnforceShellExtensionSecurity = 0 (0x0)
uPolicies-system: ConnectHomeDirToRoot = 0 (0x0)
uPolicies-system: HideLogonScripts = 0 (0x0)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: ProfileQuotaMessage = You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
uPolicies-system: MaxProfileSize = 10240 (0x2800)
uPolicies-system: WarnUserTimeout = 15 (0xf)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-explorer: NoBandCustomize = 0 (0x0)
mPolicies-system: disablecad = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 1800 (0x708)
dPolicies-explorer: Btn_Back = 0 (0x0)
dPolicies-explorer: Btn_Forward = 0 (0x0)
dPolicies-explorer: Btn_Stop = 0 (0x0)
dPolicies-explorer: Btn_Refresh = 0 (0x0)
dPolicies-explorer: Btn_Home = 0 (0x0)
dPolicies-explorer: Btn_Search = 0 (0x0)
dPolicies-explorer: Btn_History = 0 (0x0)
dPolicies-explorer: Btn_Favorites = 0 (0x0)
dPolicies-explorer: Btn_Media = 0 (0x0)
dPolicies-explorer: Btn_Folders = 0 (0x0)
dPolicies-explorer: Btn_Fullscreen = 0 (0x0)
dPolicies-explorer: Btn_Tools = 0 (0x0)
dPolicies-explorer: Btn_MailNews = 0 (0x0)
dPolicies-explorer: Btn_Size = 0 (0x0)
dPolicies-explorer: Btn_Print = 0 (0x0)
dPolicies-explorer: Btn_Edit = 0 (0x0)
dPolicies-explorer: Btn_Discussions = 0 (0x0)
dPolicies-explorer: Btn_Cut = 0 (0x0)
dPolicies-explorer: Btn_Copy = 0 (0x0)
dPolicies-explorer: Btn_Paste = 0 (0x0)
dPolicies-explorer: Btn_Encoding = 0 (0x0)
dPolicies-explorer: Btn_PrintPreview = 0 (0x0)
dPolicies-explorer: NoActiveDesktopChanges = 0 (0x0)
dPolicies-explorer: NoFavoritesMenu = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 0 (0x0)
dPolicies-explorer: NoLogoff = 0 (0x0)
dPolicies-explorer: NoClose = 0 (0x0)
dPolicies-explorer: NoSetFolders = 0 (0x0)
dPolicies-explorer: EnforceShellExtensionSecurity = 0 (0x0)
dPolicies-explorer: NoDeletePrinter = 0 (0x0)
dPolicies-explorer: NoAddPrinter = 0 (0x0)
dPolicies-explorer: NoPrinterTabs = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\progra~1\yahoo!\common\yhexbmesuk.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: CexTrayWinLogon - c:\program files\cryptoex\common\CexTrayWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
SEH: {81559C35-8464-49F7-BB0E-07A383BEF910} - c:\program files\spywareguard\spywareguard.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-11-16 11:43 410,976 a------- c:\winnt\system32\deploytk.dll
2008-11-16 11:43 73,728 a------- c:\winnt\system32\javacpl.cpl
2008-11-13 12:20 161,792 a------- c:\winnt\SWREG.exe
2008-11-13 12:20 98,816 a------- c:\winnt\sed.exe
2008-11-12 15:15 <DIR> --d----- c:\program files\Visual CertExam Suite
2008-11-10 17:51 21,504 a------- c:\winnt\system32\2.8-Install.exe
2008-11-10 17:40 <DIR> --d----- c:\documents and settings\all users\~Backup
2008-10-26 08:42 108,336 a------- c:\winnt\system32\MSWINSCK.OCX
2008-10-21 10:00 56 a---h--- c:\winnt\system32\ezsidmv.dat
2008-10-21 09:54 <DIR> --d----- c:\program files\Skype

==================== Find3M ====================

2008-11-16 13:02 <DIR> --d----- c:\program files\OfficeScan NT
2008-11-06 20:48 <DIR> --d----- c:\program files\SpywareBlaster
2008-11-05 21:03 <DIR> --d----- c:\program files\SpywareGuard
2008-05-13 22:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-05-06 19:05 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Malwarebytes
2008-05-06 19:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2007-12-25 16:41 <DIR> --d--r-- c:\docume~1\cavith~1.bal\applic~1\Brother
2007-12-16 16:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ScanSoft
2007-12-16 16:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2007-04-22 17:28 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\TVU Networks
2007-04-17 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2006-09-13 08:29 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Snapfish
2006-07-26 10:51 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\CatPC
2006-05-02 14:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2006-03-22 13:50 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Aelita
2006-03-10 15:47 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\HAPedit
2006-01-19 16:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NETg
2005-10-21 15:16 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Software
2005-10-20 08:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Macrovision
2005-07-29 14:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Driving Test Success
2005-05-09 09:59 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\FlashTalk Communications
2005-04-01 16:18 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Netscape
2005-04-01 15:17 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Retain International
2005-02-28 18:04 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Registry Cleaner
2005-02-17 15:44 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Microsoft Corporation
2005-01-11 08:30 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Murasu
2004-11-16 18:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WinZip
2004-11-10 10:15 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\Visio
2004-11-05 11:14 <DIR> --d----- c:\docume~1\cavith~1.bal\applic~1\ManageSoft Corp
2003-12-16 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RWD
2003-11-10 11:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ManageSoft Corp
2007-04-17 20:42 32,768 a--sh--- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012007041720070418\index.dat

============= FINISH: 20:59:34.19 ===============

Thanks,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 02:33 PM   #17 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Hello jmash. How is the machine behaving now?

------------------------------------------------------

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"=dword:00000000

SkipFix::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please click Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'.

Save the logfile and post it here. Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-19-2008, 01:18 PM   #18 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Smile Re: Unwanted popups and malware in the system
Hi Chemist,

The system looks much much stable now. No popups appearing. Only thing is the system slow than before in responding while switching between windows.


Here are the logs.

a. ComboFix.txt
ComboFix 08-11-18.02 - Cav.Bal 2008-11-18 22:33:56.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.148 [GMT 0:00]
Running from: c:\documents and settings\cav.bal\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cav.bal\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-18 22:22 . 2008-11-18 22:22 388,608 --a------ c:\winnt\system32\CF16874.exe.vir
2008-11-16 11:43 . 2008-11-16 11:43 410,976 --a------ c:\winnt\system32\deploytk.dll
2008-11-16 11:43 . 2008-11-16 11:43 73,728 --a------ c:\winnt\system32\javacpl.cpl
2008-11-12 15:15 . 2008-11-12 21:53 <DIR> d-------- c:\program files\Visual CertExam Suite
2008-11-10 18:51 . 2008-11-10 18:51 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-10 17:40 . 2008-11-10 17:40 <DIR> d-------- c:\documents and settings\All Users\~Backup
2008-10-26 08:42 . 2008-10-26 08:42 108,336 --a------ c:\winnt\system32\MSWINSCK.OCX
2008-10-21 10:00 . 2008-11-16 11:36 <DIR> d-------- c:\documents and settings\cav.bal\Application Data\skypePM
2008-10-21 10:00 . 2008-10-21 10:00 56 --ah----- c:\winnt\system32\ezsidmv.dat
2008-10-21 09:56 . 2008-11-16 14:16 <DIR> d-------- c:\documents and settings\cav.bal\Application Data\Skype
2008-10-21 09:55 . 2008-11-05 20:56 <DIR> d-------- c:\program files\Google
2008-10-21 09:54 . 2008-10-21 09:55 <DIR> d-------- c:\program files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\program files\Common Files\Skype
2008-10-21 09:54 . 2008-10-21 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 13:02 --------- d-----w c:\program files\OfficeScan NT
2008-11-16 11:43 --------- d-----w c:\program files\Java
2008-11-12 15:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 20:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 20:48 --------- d-----w c:\program files\SpywareBlaster
2008-11-05 21:03 --------- d-----w c:\program files\SpywareGuard
2008-10-06 09:04 201 ---ha-w c:\documents and settings\cav.bal\Application Data\hpothb07.dat
2008-10-06 09:03 172 ---ha-w c:\documents and settings\Anthony.D.Roberts\hpothb07.dat
2008-10-06 09:03 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2006-02-13 16:20 32,064 ----a-w c:\documents and settings\cav.bal\Application Data\GDIPFONTCACHEV1.DAT
2005-04-26 08:48 57,344 ----a-w c:\program files\internet explorer\plugins\PluginWrapper.dll
2007-04-17 20:42 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007041720070418\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_12.58.59.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-11-16 18:58:46 632,320 ----a-r c:\winnt\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F66110.exe
+ 2004-11-16 18:58:46 29,184 ----a-r c:\winnt\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F6617.exe
+ 2004-11-16 19:28:23 7,168 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\App_GlobalResources.mqt_777l.dll
+ 2004-11-16 19:29:16 40,960 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\App_LocalResources.root.qjws4xqi.dll
+ 2004-11-16 19:29:34 180,224 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\App_Web_4vuyh8pc.dll
+ 2004-11-16 19:29:23 32,768 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\App_Web_aspnetforummaster.master.cdcab7d2.mlf8dtfi.dll
+ 2004-11-16 19:29:37 57,344 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\App_Web_n0bvci5r.dll
+ 2004-11-16 19:27:54 172,032 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\assembly\dl3\f2cd750d\00b374ce_5e3fc901\aspnetforum.DLL
+ 2004-11-16 19:28:14 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\da-DK\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:11 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\da-DK\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:17 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\de\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:05 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\de\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:19 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\es\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:12 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\es\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:18 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\fr\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:09 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\fr\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:18 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\he\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:07 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\he\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:21 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\it\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:13 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\it\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:21 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\nl\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:13 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\nl\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:19 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\pl\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:10 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\pl\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:29:03 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\pt-br\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:22 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\pt-pt\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:16 45,056 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\pt-pt\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:16 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\sv\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:04 40,960 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\sv\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:15 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\tr\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:00 32,768 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\tr\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 19:28:22 4,608 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\zh-cn\App_GlobalResources.mqt_777l.resources.dll
+ 2004-11-16 19:29:15 40,960 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspnetforum_trial\55d3cade\70010be7\zh-cn\App_LocalResources.root.qjws4xqi.resources.dll
+ 2004-11-16 21:24:24 10,752 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_Code.bsgxg1bp.dll
+ 2004-11-16 21:24:26 8,704 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_global.asax.n8zqe6hu.dll
+ 2004-11-16 21:24:21 7,680 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_GlobalResources.wlj_nhcg.dll
+ 2004-11-16 21:24:33 5,632 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_Web_foot.ascx.cc671b29.vpbxdpos.dll
+ 2004-11-16 21:24:30 12,800 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_Web_login.ascx.cc671b29.zgdrxuof.dll
+ 2004-11-16 21:24:34 10,752 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_Web_masterpage.master.28963a75.zse0oytn.dll
+ 2004-11-16 21:24:31 6,656 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_Web_menu.ascx.cc671b29.bvozn2tb.dll
+ 2004-11-16 21:24:32 5,632 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\App_Web_rssnews.ascx.cc671b29.lxqxghbe.dll
- 2008-11-09 23:39:10 20,480 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\56d6c1ef\b497b14d_be35c901\PortraitSupport.HttpExtensions.DLL
+ 2004-11-16 21:23:28 20,480 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\56d6c1ef\b497b14d_be35c901\PortraitSupport.HttpExtensions.DLL
- 2008-11-09 23:39:11 94,208 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\a0c881c5\92967345_be35c901\PSTrackerDAL.DLL
+ 2004-11-16 21:23:29 94,208 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\a0c881c5\92967345_be35c901\PSTrackerDAL.DLL
- 2008-11-09 23:39:11 24,576 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\a83ed8d4\14728b4d_be35c901\PortraitSupport.WebControls.DLL
+ 2004-11-16 21:23:28 24,576 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\a83ed8d4\14728b4d_be35c901\PortraitSupport.WebControls.DLL
- 2008-11-09 23:39:10 253,952 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\ddc9964c\00e34c3d_30dbc601\NLog.DLL
+ 2004-11-16 21:23:27 253,952 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\ddc9964c\00e34c3d_30dbc601\NLog.DLL
- 2008-11-09 23:39:10 20,480 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\f320259e\210cb327_d531c801\PortraitSupport.HttpModules.DLL
+ 2004-11-16 21:23:28 20,480 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\assembly\dl3\f320259e\210cb327_d531c801\PortraitSupport.HttpModules.DLL
+ 2004-11-16 21:24:15 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\da-DK\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:09 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\de\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:05 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\es\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:11 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\fr\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:10 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\he\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:16 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\it\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:16 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\nl\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:13 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\pl\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:19 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\pt-pt\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:07 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\sv\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:23:55 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\tr\App_GlobalResources.wlj_nhcg.resources.dll
+ 2004-11-16 21:24:18 5,120 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\pstrackerweb\0ac496fa\46106f3f\zh-cn\App_GlobalResources.wlj_nhcg.resources.dll
+ 2005-11-16 18:34:19 53,248 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\App_Code.gy0fthxp.dll
+ 2005-11-16 18:35:52 13,824 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\App_Web_2haz43pw.dll
+ 2005-11-16 18:34:00 701,816 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\35826c8f\00a216c7_1f41c801\System.Web.Extensions.DLL
+ 2005-11-16 18:33:58 114,688 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\3916b398\0058873c_b027c901\CookComputing.XmlRpcV2.DLL
+ 2005-11-16 18:33:58 61,440 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\3aa97ab4\d08e9de6_daeac501\Intelligencia.UrlRewriter.DLL
+ 2005-11-16 18:34:01 98,304 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\453c44e2\00512794_dbeac501\YAF.Classes.Data.DLL
+ 2005-11-16 18:34:01 53,248 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\491d7202\302d5b96_dbeac501\YAF.Classes.UI.DLL
+ 2005-11-16 18:34:02 147,456 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\956ffeae\d0a06395_dbeac501\YAF.Classes.Utils.DLL
+ 2005-11-16 18:34:01 20,480 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\b8995cba\a06be692_dbeac501\YAF.Classes.Config.DLL
+ 2005-11-16 18:33:59 42,360 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\bf09550c\00a216c7_1f41c801\System.Web.Extensions.Design.DLL
+ 2005-11-16 18:34:02 57,344 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\dff0ef69\40caedf6_daeac501\YAF.Providers.DLL
+ 2005-11-16 18:33:57 1,179,648 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\e588b9a6\0000b6a9_fcbfc801\AjaxControlToolkit.DLL
+ 2005-11-16 18:34:00 28,672 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\eab0eb95\001ecde2_daeac501\YAF.Classes.Base.DLL
+ 2005-11-16 18:34:02 102,400 ----a-w c:\winnt\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\yetanotherforum.net\a63fee7b\f628b3ec\assembly\dl3\ffb939d7\e0f84497_dbeac501\YAF.Controls.DLL
- 2008-01-09 07:27:03 135,168 ----a-w c:\winnt\system32\java.exe
+ 2008-11-16 11:43:17 144,792 ----a-w c:\winnt\system32\java.exe
- 2008-01-09 07:27:03 135,168 ----a-w c:\winnt\system32\javaw.exe
+ 2008-11-16 11:43:17 144,792 ----a-w c:\winnt\system32\javaw.exe
- 2008-01-09 07:27:03 139,264 ----a-w c:\winnt\system32\javaws.exe
+ 2008-11-16 11:43:17 148,888 ----a-w c:\winnt\system32\javaws.exe
+ 2007-07-27 15:49:02 196,683 ----a-w c:\winnt\system32\lnod32apiA.dll
+ 2007-07-27 15:49:02 225,355 ----a-w c:\winnt\system32\lnod32apiW.dll
+ 2005-12-05 20:25:22 139,264 ----a-w c:\winnt\system32\lnod32umc.dll
+ 2005-12-05 13:37:10 106,496 ----a-w c:\winnt\system32\lnod32upd.dll
+ 2007-08-02 18:11:28 253,952 ----a-w c:\winnt\system32\OnlineScannerDLLA.dll
+ 2007-08-02 18:11:14 241,664 ----a-w c:\winnt\system32\OnlineScannerDLLW.dll
+ 2007-08-06 13:17:40 19,456 ----a-w c:\winnt\system32\OnlineScannerLang.dll
+ 2007-06-13 11:10:34 77,824 ----a-w c:\winnt\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 11:11:34 258,352 ----a-w c:\winnt\system32\unicows.dll
+ 2007-01-08 19:15:18 176,195 ----a-w c:\winnt\temp\NV1921.EXE
+ 2008-11-16 12:38:19 16,384 ----atw c:\winnt\temp\Perflib_Perfdata_5e0.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CatUserRun"="exec32" [X]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2003-07-17 114688]
"Synchronization Manager"="c:\winnt\system32\mobsync.exe" [2004-08-04 143360]
"NeroCheck"="c:\program files\Ahead\\Nero\NeroCheck.exe" [2001-07-09 155648]
"DirXconnect settings"="c:\\PROGRA~1\SIE\DIRXDI~1\dxdSetup.exe" [2000-03-21 106561]
"OfficeScanNT Monitor"="c:\program files\OfficeScan NT\pccntmon.exe" [2007-01-08 356429]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-07 77824]
"SIECACST"="c:\program files\Sie\Card API\bin\siecacst.exe" [2005-02-01 45056]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2005-11-10 212992]
"Migrator"="c:\program files\CryptoEx\Migrator\Migrator.exe" [2004-10-26 290816]
"CryptoExTrayV3"="c:\program files\CryptoEx\Common\CexTray.exe" [2005-03-01 909312]
"SchedulingAgent_nDG"="c:\program files\ManageSoft\Schedule Agent\ndschedag.exe" [2006-07-27 1183744]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\GetFlash.exe" [2003-09-04 94208]

c:\documents and settings\cav.bal\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"MaxGPOScriptWait"= 1800 (0x708)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"EnableProfileQuota"= 1 (0x1)
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"= 10240 (0x2800)
"WarnUserTimeout"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"StartRunNoHOMEPATH"= 1 (0x1)
"EnforceShellExtensionSecurity"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSetActiveDesktop"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="SGPro.exe /shell"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CexTrayWinLogon]
2005-01-26 12:25 57344 c:\program files\CryptoEx\Common\CexTrayWinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=CBEShutdown.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\1\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=catstart.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\GB001.sie.net\sysvol\GB001.sie.net\scripts\CatPC\CAT Basic Environment\Setup\Setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=DeployCentennialAgent.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=bnls299acmdline.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-1152\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-31563\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1960408961-725345543-468838394-34625\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-450047656-3918250416-1063027673-500\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Achernar;Achernar - SCSI Command Filters;c:\winnt\system32\Drivers\Achernar.sys [2006-03-15 16855]
R2 CBBS;CAT Bulletin Board;c:\program files\sie\CAT Bulletin Board\CBBS.exe [2002-06-20 65536]
R2 mgsdl;ManageSoft Peer-to-Peer Download Service;"c:\program files\ManageSoft\Launcher\mgsdl.exe" [2006-07-27 1286144]
R2 ndGlobalLauncher;ManageSoft installation agent;"c:\program files\ManageSoft\Launcher\ndserv.exe" [2006-07-27 2539520]
R2 ndinit;ManageSoft managed device;"c:\program files\ManageSoft\Schedule Agent\ndinit.exe" [2006-07-27 655360]
R2 openFT FTNEA;openFT Server;"c:\program files\openFT\bin\NEACTRLS.EXE" [2003-11-12 253952]
R2 openFT Security Server;openFT Security Server;"c:\program files\openFT\bin\SECSERV.EXE" [2003-11-12 86016]
R2 usbdisk;usbdisk;\??\c:\winnt\system32\usbdisk.sys [2003-09-02 2176]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\winnt\system32\Drivers\Aldebaran.sys [2006-03-15 21808]
S2 CatSystemSvc;CatSystem;c:\winnt\CatPC\CATSYS\CatSystemSvc.exe [2005-06-17 439808]
S3 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

*Newly Created Service* - MACROMEDIA_LICENSING_SERVICE
*Newly Created Service* - NTRTSCAN
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 22:35:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"
.
Completion time: 2008-11-18 22:52:30
ComboFix-quarantined-files.txt 2008-11-18 22:52:03
ComboFix2.txt 2008-11-16 10:53:57
ComboFix3.txt 2008-11-15 12:58:55
ComboFix4.txt 2008-11-13 13:30:33

Pre-Run: 6,166,142,976 bytes free
Post-Run: 6,157,094,912 bytes free

328


B. Hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:08, on 2008-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ManageSoft\Launcher\mgsdl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\openFT\bin\SECSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\openFT\bin\NEACTRLS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\NV1921.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\Program Files\Siemens\Card API\bin\siecacst.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\OfficeScan NT\Pop3Trap.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\taskmgr.exe
C:\users\Mahesh\software\Cavitha.Balamurugesa.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pacs.erl.sbs.de/sbs.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.siemens.net:80;https=mddmproxy.gb001.siemens.net:80;ftp=mddmproxy.gb001.siemens.net:80;gopher=localhost:1;socks=proxy1.sbs.siemens.co.uk:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.siemens.net;*.siemens.de;<local>
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1960408961-725345543-468838394-1152\..\Policies\Explorer\Run: [1] \\gb001.siemens.net\DFSRoot\NCIP_SBS\SBS\NT4 Printer Migration\MigrateClientPrinters.bat (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/members/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GB001.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = GB001.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GB001.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GB001.siemens.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GB001.siemens.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG - C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - -C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
O23 - Service: openFT Server (openFT FTNEA) - Fujitsu Siemens Computers GmbH - C:\Program Files\openFT\bin\NEACTRLS.EXE
O23 - Service: openFT Security Server - Fujitsu Siemens Computers GmbH - C:\Program Files\openFT\bin\SECSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

--
End of file - 9989 bytes


Thanks,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-19-2008, 03:36 PM   #19 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,426
OS: XP SP3


Re: Unwanted popups and malware in the system
Hello jmash. Not sure about the lag while switching between windows.

You would probably be better served about that in our Windows XP Support Forum

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c del /a/q "c:\winnt\system32\CF16874.exe.vir"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:
combofix /u
This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  • IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Spybot - Search & Destroy is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature in Spybot if you use SpywareBlaster. See tutorial here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-21-2008, 02:47 PM   #20 (permalink)
Registered User
 
Join Date: May 2008
Posts: 18
OS: xp SP2


Thumbs Up Re: Unwanted popups and malware in the system
Many Thanks Chemist, For all your support and help throughout this issue especially your patience.

I will also follow your guidelines and keep a vigil in the future.

I don't know how to thank you really but I thought I will make atleast a small donation which is in no way proportional to the great help I received from you.


Wish you guys keep up this great social spirit,
jmash
jmash is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:13 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85