Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PHYSICIAN needs help---PLEASE! [RESOLVED]

Started by gulu75 , Jan 27 2008 09:14 PM

  • This topic is locked This topic is locked

#1
gulu75
Posted 27 January 2008 - 09:14 PM

gulu75

    New Member

  • Member
  • Pip
  • 9 posts
Hello All,

Use my computer to access clinic and hospital patient items. My nephew came over some time ago and downloaded who knows what???!!! Long story short; we are having persistent problems with pop-ups---up to 10-15 at a time when accessing IE. I am not smart enough to figure out what to delete but am smart enough to have realized when it comes to computers----leave it to the professionals. If anyone can PLEASE help I would greatly appreciate it---it is really difficult to take care of patient issues for the sick ones in the hospital etc.. Thanks in Advance. Below is my log.


1 0.0% F3 run="C:\WINDOWS\system32\winupdate.exe"
2 0.1% O16 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
3 0.1% O16 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
4 0.0% O16 {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
5 0.0% O16 {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
6 0.0% O16 {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
7 0.0% O16 {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115...yerWeb11gv2.cab
8 0.0% O16 {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
9 2.5% O2 Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
10 0.6% O2 (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
11 7.0% O22 Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
12 6.7% O22 Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
13 2.3% O23 Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
14 2.3% O23 InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
15 1.5% O23 ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
16 1.0% O23 AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
17 1.0% O23 AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
18 1.0% O23 iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
19 0.7% O23 AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
20 0.6% O23 NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
21 0.2% O23 Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
22 0.1% O23 LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
23 0.1% O23 LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
24 0.0% O23 Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
25 0.0% O23 Security Service (EUMX) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
26 3.5% O4 [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
27 1.9% O4 Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
28 1.7% O4 [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
29 1.0% O4 [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
30 0.9% O4 [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
31 0.7% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
32 0.6% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
33 0.6% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
34 0.5% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
35 0.4% O4 [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
36 0.3% O4 [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
37 0.2% O4 [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
38 0.1% O4 [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
39 0.0% O4 HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
40 0.0% O4 [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
41 0.0% O4 eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
42 0.0% O4 [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
43 0.0% O4 [ICDRegOCX0] rundll32.exe advpack.dll,RegisterOCX C:\WINDOWS\Downloaded Program Files\RACtrl.dll
44 1.6% O8 E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
45 6.3% O9 Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
46 6.2% O9 Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
47 1.7% O9 Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
48 0.1% O9 (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
49 0.0% O9 Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
50 12.1% P01 C:\WINDOWS\Explorer.EXE
51 11.8% P01 C:\WINDOWS\system32\svchost.exe
52 11.8% P01 C:\WINDOWS\system32\lsass.exe
53 11.8% P01 C:\WINDOWS\system32\winlogon.exe
54 11.8% P01 C:\WINDOWS\system32\services.exe
55 11.8% P01 C:\WINDOWS\System32\smss.exe
56 11.4% P01 C:\WINDOWS\system32\spoolsv.exe
57 3.0% P01 C:\WINDOWS\system32\wuauclt.exe
58 2.9% P01 C:\WINDOWS\system32\Ati2evxx.exe
59 1.8% P01 C:\Program Files\iPod\bin\iPodService.exe
60 1.7% P01 C:\Program Files\iTunes\iTunesHelper.exe
61 1.0% P01 C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
62 1.0% P01 C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
63 1.0% P01 C:\WINDOWS\System32\dllhost.exe
64 0.8% P01 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
65 0.7% P01 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
66 0.6% P01 C:\WINDOWS\System32\MsPMSPSv.exe
67 0.5% P01 C:\WINDOWS\system32\inetsrv\inetinfo.exe
68 0.5% P01 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
69 0.5% P01 C:\WINDOWS\System32\snmp.exe
70 0.3% P01 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
71 0.2% P01 c:\progra~1\intern~1\iexplore.exe
72 0.2% P01 C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
73 0.1% P01 C:\Program Files\LogMeIn\LogMeInSystray.exe
74 0.1% P01 C:\Program Files\LogMeIn\LogMeIn.exe
75 0.1% P01 C:\Program Files\LogMeIn\RaMaint.exe
76 0.1% P01 C:\Program Files\Palm\Hotsync.exe
77 0.0% P01 C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
78 0.0% P01 C:\Program Files\eFax Messenger 4.3\J2GTray.exe
79 0.0% P01 C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
80 0.0% P01 C:\Documents and Settings\The Reddy's\Desktop\Virus Software\HiJackThis_v2.exe
81 0.0% P01 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
82 0.0% P01 C:\WINDOWS\system32\svcd\svchost.exe

Edited by gulu75, 27 January 2008 - 09:19 PM.

  • 0

Advertisements

#2
gulu75
Posted 27 January 2008 - 09:44 PM

gulu75

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:49 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\dllhost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [ICDRegOCX0] rundll32.exe advpack.dll,RegisterOCX C:\WINDOWS\Downloaded Program Files\RACtrl.dll
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115...yerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Security Service (EUMX) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6913 bytes
  • 0

#3
Ryan
Posted 27 January 2008 - 09:46 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

-Ryan
  • 0

#4
gulu75
Posted 27 January 2008 - 10:03 PM

gulu75

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-01-23.1C - The Reddy's 2008-01-27 21:47:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.528 [GMT -6:00]
Running from: C:\Documents and Settings\The Reddy's\Local Settings\Temporary Internet Files\Content.IE5\F1RG1ZB8\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\The Reddy's\Application Data\macromedia\Flash Player\#SharedObjects\DJ87QVTF\www.broadcaster.com
C:\Documents and Settings\The Reddy's\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\The Reddy's\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\outlook
C:\Program Files\winupdates
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\wnsapiisv32.exe
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\ntload


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 21:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 21:43 . 2008-01-27 21:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 14:52 . 2008-01-11 14:52 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-11 14:52 . 2008-01-27 21:57 114 --a------ C:\WINDOWS\system32\url3
2008-01-11 14:52 . 2008-01-27 21:57 102 --a------ C:\WINDOWS\system32\url2
2008-01-11 14:52 . 2008-01-27 21:57 102 --a------ C:\WINDOWS\system32\url1
2008-01-11 14:52 . 2008-01-27 21:57 8 --a------ C:\WINDOWS\system32\CID
2008-01-11 14:52 . 2008-01-17 17:25 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-11 14:51 . 2008-01-17 17:25 34,816 --a------ C:\info.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 02:24 --------- d-----w C:\Program Files\LogMeIn
2008-01-27 19:49 --------- d-----w C:\Program Files\Common Files\Skyscape
2008-01-14 02:36 --------- d-----w C:\Program Files\BearShare
2007-12-28 04:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 04:23 --------- d-----w C:\Program Files\Palm
2007-12-28 04:16 --------- d-----w C:\Program Files\Epocrates
2007-12-28 03:34 724,992 ----a-w C:\WINDOWS\iun6002.exe
2007-12-28 03:23 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-12-28 03:23 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-12-21 04:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-13 20:46 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-13 20:46 --------- d-----w C:\Program Files\ATT
2005-07-29 21:24 472 --sha-r C:\WINDOWS\SGFyaSBhbmQgQ2hhbmRhbmE\m3IVum11vAk0kZ11vAl1vAH.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe" [2006-05-10 13:52 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 17:12 777424]
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe" [2006-07-21 12:15 303856]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 11:21 116224]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:30 579072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-06 18:36 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-04-28 12:01:15 629248]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-07-21 12:15 11496 C:\WINDOWS\system32\LMIinit.dll

R2 EUMX;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-11 14:51]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-07-21 12:15]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 01:56]
S3 Phal;Phal - Logitech io2 USB driver;C:\WINDOWS\system32\Drivers\LPhalUsb.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:59:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 21:57:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 22:00:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 04:00:49
.
2008-01-09 09:02:29 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:03 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115...yerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Security Service (EUMX) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6773 bytes
  • 0

#5
Ryan
Posted 27 January 2008 - 10:11 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

-Ryan
  • 0

#6
gulu75
Posted 27 January 2008 - 10:18 PM

gulu75

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#7
Ryan
Posted 27 January 2008 - 10:22 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\iun6002.exe
C:\WINDOWS\SGFyaSBhbmQgQ2hhbmRhbmE\m3IVum11vAk0kZ11vAl1vAH.vbs

Folder::
C:\WINDOWS\system32\svcd
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\CID



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

-Ryan
  • 0

#8
gulu75
Posted 27 January 2008 - 10:35 PM

gulu75

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-01-23.1C - The Reddy's 2008-01-27 22:25:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.763 [GMT -6:00]
Running from: C:\Documents and Settings\The Reddy's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\The Reddy's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\iun6002.exe
C:\WINDOWS\SGFyaSBhbmQgQ2hhbmRhbmE\m3IVum11vAk0kZ11vAl1vAH.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\iun6002.exe
C:\WINDOWS\SGFyaSBhbmQgQ2hhbmRhbmE\m3IVum11vAk0kZ11vAl1vAH.vbs
C:\WINDOWS\system32\CID\
C:\WINDOWS\system32\svcd
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\url1\
C:\WINDOWS\system32\url2\
C:\WINDOWS\system32\url3\

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 22:17 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-27 22:17 . 2006-04-23 06:37 211 --a------ C:\Boot.bak
2008-01-27 21:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 21:43 . 2008-01-27 21:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 14:52 . 2008-01-27 21:57 114 --a------ C:\WINDOWS\system32\url3
2008-01-11 14:52 . 2008-01-27 21:57 102 --a------ C:\WINDOWS\system32\url2
2008-01-11 14:52 . 2008-01-27 21:57 102 --a------ C:\WINDOWS\system32\url1
2008-01-11 14:52 . 2008-01-27 21:57 8 --a------ C:\WINDOWS\system32\CID
2008-01-11 14:52 . 2008-01-17 17:25 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-11 14:51 . 2008-01-17 17:25 34,816 --a------ C:\info.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 02:24 --------- d-----w C:\Program Files\LogMeIn
2008-01-27 19:49 --------- d-----w C:\Program Files\Common Files\Skyscape
2008-01-14 02:36 --------- d-----w C:\Program Files\BearShare
2007-12-28 04:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 04:23 --------- d-----w C:\Program Files\Palm
2007-12-28 04:16 --------- d-----w C:\Program Files\Epocrates
2007-12-28 03:23 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-12-28 03:23 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-12-21 04:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-13 20:46 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-13 20:46 --------- d-----w C:\Program Files\ATT
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_22.00.37.91 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-28 03:47:24 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-28 04:25:54 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-28 03:47:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-28 04:25:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-28 03:47:24 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-28 04:25:55 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-28 03:47:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-28 04:25:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-28 03:47:25 5,545,984 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-28 04:25:55 5,545,984 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-28 03:47:25 647,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-28 04:25:55 647,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-28 03:57:25 222,378 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-01-28 04:28:52 222,382 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-01-28 04:28:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_43c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe" [2006-05-10 13:52 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 17:12 777424]
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe" [2006-07-21 12:15 303856]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 11:21 116224]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:30 579072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-06 18:36 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-04-28 12:01:15 629248]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-07-21 12:15 11496 C:\WINDOWS\system32\LMIinit.dll

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-07-21 12:15]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 01:56]
S2 EUMX;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 Phal;Phal - Logitech io2 USB driver;C:\WINDOWS\system32\Drivers\LPhalUsb.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:59:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 22:28:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 22:32:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 04:32:44
ComboFix2.txt 2008-01-28 04:00:51
.
2008-01-09 09:02:29 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:27 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115...yerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Security Service (EUMX) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6693 bytes
  • 0

#9
Ryan
Posted 27 January 2008 - 10:36 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


== Clear System Restore==

Let's make a new restore point and clear the others:Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer


== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:[list]
  • Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
  • Scan Options:
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.

-Ryan
  • 0

#10
gulu75
Posted 28 January 2008 - 07:38 AM

gulu75

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
KASPERSKY ONLINE SCANNER REPORT
Monday, January 28, 2008 7:34:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/01/2008
Kaspersky Anti-Virus database records: 534402


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 245858
Number of viruses found 31
Number of infected objects 104
Number of suspicious objects 2
Duration of the scan process 04:22:12

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\The Reddy's\~Running.ping Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\The Reddy's\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\The Reddy's\Desktop\Misc. Files\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Documents and Settings\The Reddy's\Desktop\Misc. Files\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Documents and Settings\The Reddy's\Desktop\Misc. Files\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Documents and Settings\The Reddy's\Desktop\Misc. Files\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Documents and Settings\The Reddy's\Desktop\Misc. Files\LogMeIn.exe/data.rar/LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Documents and Settings\The Reddy's\Desktop\Misc. Files\LogMeIn.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Documents and Settings\The Reddy's\Desktop\Misc. Files\LogMeIn.exe RarSFX: infected - 6 skipped

C:\Documents and Settings\The Reddy's\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped

C:\Documents and Settings\The Reddy's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\The Reddy's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\The Reddy's\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\The Reddy's\Local Settings\Temp\Perflib_Perfdata_7ec.dat Object is locked skipped

C:\Documents and Settings\The Reddy's\Local Settings\Temp\Perflib_Perfdata_cdc.dat Object is locked skipped

C:\Documents and Settings\The Reddy's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\The Reddy's\ntuser.dat Object is locked skipped

C:\Documents and Settings\The Reddy's\ntuser.dat.LOG Object is locked skipped

C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Program Files\LogMeIn\update\2-30-547.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Program Files\LogMeIn\update\2-30-547.bak\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Program Files\LogMeIn\update\2-30-547.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Program Files\LogMeIn\update\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\Program Files\LogMeIn\update\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped

C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped

C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped

C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\svcd\svchost.exe.vir Infected: Trojan-Proxy.Win32.Fackemo.g skipped

C:\QooBox\Quarantine\catchme2008-01-27_215713.98.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped

C:\QooBox\Quarantine\catchme2008-01-27_215713.98.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{7E27AC43-F003-4873-8E5D-3938FDD3A9E7}\RP831\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{0B986130-E1AC-45E1-AF1F-DAC6CD0A5BDB}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\sam Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\etc\h2\pnc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped

C:\WINDOWS\system32\drivers\etc\h2\spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped

C:\WINDOWS\system32\drivers\etc\h2\winhelper.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\WINDOWS\system32\LMIinit.dll.000.bak Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_43c.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\6ccffeebf26f3b53bf560ce3ebc894a3_6ba9a262-0fdd-4bf7-b70e-72fc0f4c21cd Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip/125399.exe Suspicious: Password-protected-EXE skipped

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip ZIP: suspicious - 1 skipped

D:\Documents and Settings\Owner\Desktop\Bearshare\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Documents and Settings\Owner\Desktop\Bearshare\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Documents and Settings\Owner\Desktop\Bearshare\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Documents and Settings\Owner\Desktop\Bearshare\BSINSTALL.exe WiseSFX: infected - 3 skipped

D:\Documents and Settings\Owner\Desktop\Bearshare\BSINSTALL.exe WiseSFXDropper: infected - 3 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\180SAInstaller.exe/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.g skipped

D:\Documents and Settings\Owner\Local Settings\Temp\180SAInstaller.exe CAB: infected - 1 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0002.bin Infected: not-a-virus:AdWare.Win32.ISearch.d skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0003.bin Infected: not-a-virus:AdWare.Win32.ISearch.d skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0006.bin/chrome/isearch.jar/content/isearch/isearch.js Infected: not-a-virus:AdWare.Win32.ISearch.e skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0006.bin/chrome/isearch.jar Infected: not-a-virus:AdWare.Win32.ISearch.e skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0006.bin Infected: not-a-virus:AdWare.Win32.ISearch.e skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0008.bin Infected: Trojan-Downloader.Win32.Ieser.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0009.bin Infected: Trojan.Win32.Delprot.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0010.bin Infected: Trojan.Win32.Delprot.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe/data0012.bin Infected: not-a-virus:AdWare.Win32.BetterInternet.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe AWInstall: infected - 9 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\build2.exe UPX: infected - 9 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\LMI49866.msi/data.cab/LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\LMI49866.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\LMI49866.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\LMI49866.msi Embedded: infected - 3 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\nsh_104.exe Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped

D:\Documents and Settings\Owner\Local Settings\Temp\saveinstwm.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Documents and Settings\Owner\Local Settings\Temp\saveinstwm.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Documents and Settings\Owner\Local Settings\Temp\saveinstwm.exe EmbeddedCAB: infected - 2 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\sp.html Infected: Trojan.JS.StartPage.u skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI41BE.tmp\multimpp.cab/multimpp.dll Infected: not-a-virus:AdWare.Win32.BiSpy.o skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI41BE.tmp\multimpp.cab/preInMPP.exe Infected: not-a-virus:AdWare.Win32.BiSpy.q skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI41BE.tmp\multimpp.cab CAB: infected - 2 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI71B4.tmp\TRebates.exe/data0003/data0001 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI71B4.tmp\TRebates.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI71B4.tmp\TRebates.exe/data0004 Infected: not-a-virus:AdWare.Win32.WebRebates.f skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI71B4.tmp\TRebates.exe/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.d skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI71B4.tmp\TRebates.exe/data0006 Infected: not-a-virus:AdWare.Win32.WebRebates.c skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI71B4.tmp\TRebates.exe NSIS: infected - 5 skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI7FA9.tmp\multimpp.cab/multimpp.dll Infected: not-a-virus:AdWare.Win32.BiSpy.o skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI7FA9.tmp\multimpp.cab/preInMPP.exe Infected: not-a-virus:AdWare.Win32.BiSpy.q skipped

D:\Documents and Settings\Owner\Local Settings\Temp\THI7FA9.tmp\multimpp.cab CAB: infected - 2 skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1EVSLAN\sia[1].txt/index.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1EVSLAN\sia[1].txt/index.htm Infected: Trojan-Downloader.VBS.Psyme.a skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1EVSLAN\sia[1].txt CHM: infected - 2 skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1EVSLAN\sia[2].txt/index.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1EVSLAN\sia[2].txt/index.htm Infected: Trojan-Downloader.VBS.Psyme.a skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1EVSLAN\sia[2].txt CHM: infected - 2 skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S9MV8DQJ\install_iframe[1].htm Infected: Trojan-Downloader.JS.Agent.kk skipped

D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S9MV8DQJ\install_iframe[2].htm Infected: Trojan-Downloader.JS.Agent.kk skipped

D:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Program Files\BearShare\Installer\BSINSTALL.exe WiseSFX: infected - 3 skipped

D:\Program Files\BearShare\Installer\BSINSTALL.exe WiseSFXDropper: infected - 3 skipped

D:\Program Files\BearShare\Installer\saveinstwm.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Program Files\BearShare\Installer\saveinstwm.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

D:\Program Files\BearShare\Installer\saveinstwm.exe EmbeddedCAB: infected - 2 skipped

D:\Program Files\LogMeIn\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

D:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

D:\Program Files\LogMeIn\update\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

D:\Program Files\LogMeIn\update\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP566\A0069532.exe Object is locked skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP566\A0069534.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP566\A0069534.exe WiseSFX: infected - 1 skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP566\A0069537.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP566\A0069537.exe WiseSFX: infected - 1 skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069908.exe Object is locked skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069916.exe Object is locked skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069917.exe Infected: not-a-virus:AdWare.Win32.BiSpy.q skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069918.exe Infected: not-a-virus:AdWare.Win32.BiSpy.o skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069919.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.b skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069919.exe ZIP: infected - 1 skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069921.exe Object is locked skipped

D:\System Volume Information\_restore{B7AF055F-0669-4687-88EB-07A3850BAE08}\RP591\A0069923.exe Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll.000 Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

D:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped

D:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js Infected: not-a-virus:AdWare.Win32.ISearch.e skipped

D:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar Infected: not-a-virus:AdWare.Win32.ISearch.e skipped

D:\WINDOWS\isrvs\isearch.xpi ZIP: infected - 2 skipped

Scan process completed.
  • 0

Advertisements

#11
Ryan
Posted 28 January 2008 - 10:58 AM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
D:\Documents and Settings\Owner\Desktop\Bearshare\BSINSTALL.exe
D:\Documents and Settings\Owner\Local Settings\Temp\180SAInstaller.exe
D:\Documents and Settings\Owner\Local Settings\Temp\nsh_104.exe
D:\Documents and Settings\Owner\Local Settings\Temp\saveinstwm.exe
D:\Documents and Settings\Owner\Local Settings\Temp\sp.html
D:\WINDOWS\isrvs\isearch.xpi

Folder::
C:\WINDOWS\system32\drivers\etc\h2\
D:\Documents and Settings\Owner\Local Settings\Temp\B185780172\
D:\Documents and Settings\Owner\Local Settings\Temp\THI41BE.tmp\
D:\Documents and Settings\Owner\Local Settings\Temp\THI7FA9.tmp\
D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1EVSLAN\
D:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S9MV8DQJ\
D:\Program Files\BearShare\Installer\


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

-Ryan
  • 0

#12
gulu75
Posted 28 January 2008 - 06:10 PM

gulu75

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:24 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115...yerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Security Service (EUMX) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6748 bytes
  • 0

#13
Ryan
Posted 28 January 2008 - 07:21 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Go to Start > Run and enter notepad and press enter.

Notepad will open; copy and paste the following into it:

sc stop EUMX >> gulu75.txt
sc delete EUMX >> gulu75.txt
notepad.exe gulu75.txt


Save the file as "remEUMX.bat" (include the quotes), and save it to your desktop.

Double click on remEUMX.bat; a black window flash open nd then close - this is normal. Notepad will appear with some text - please copy and paste this text into your next reply. Also post an uninstall list.
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (agenerates uninstall_list.txt)

-Ryan
  • 0

#14
gulu75
Posted 28 January 2008 - 07:42 PM

gulu75

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:54 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115...yerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6572 bytes


[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
  • 0

#15
Ryan
Posted 28 January 2008 - 08:14 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
I would like to see an uninstall list.
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (agenerates uninstall_list.txt)

-Ryan
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP