Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Unknown Spyware opening in Internet Explorer.

Started by brad4g63 , Mar 16 2008 04:35 PM

Please log in to reply

#1
brad4g63

Posted 16 March 2008 - 04:35 PM

New Member

Member
4 posts

any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:50 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Y3B0LiByYW1pdXM\command.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\mrofinu1285.exe
C:\WINDOWS\system32\system.exe
C:\WINDOWS\system32\service.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Documents and Settings\user\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\user\Application Data\Microsoft\Windows\nqwahw.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Documents and Settings\user\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {2DA49C55-AF50-4073-9D04-9C97453A4431} - C:\Program Files\MSN Gaming Zone\bujipiv777444.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CA5AA453-CF59-4AE8-809A-CE8FF3642F2B} - C:\Program Files\MSN Gaming Zone\bujipiv821058.dll
O2 - BHO: 0 - {FADBC3D4-8551-4B32-37AB-9489948D21B3} - C:\Program Files\DivX\baqufus74.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1285.exe 61A847B5BBF7281330933D466188719AB689201522886B092CBD44BD8689220221DD325762E901F3
D2907D4E66914B5C1E9E689DB6FC45715EC67A0924A04FA6C3812A172CCE7003
O4 - HKLM\..\Run: [System Updater Machine] system.exe
O4 - HKLM\..\Run: [womybopaj] C:\Program Files\Messenger\womybopaj77798.exe
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\RunServices: [System Updater Machine] system.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\user\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\user\Application Data\Microsoft\Windows\nqwahw.exe
O4 - HKCU\..\Run: [kfrf] C:\PROGRA~1\COMMON~1\kfrf\kfrfm.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\user\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y3B0LiByYW1pdXM\command.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\DivX\fsozysom.html

--
End of file - 9897 bytes

#2
kahdah

Posted 16 March 2008 - 04:38 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello brad4g63

Welcome to G2Go.

=====================
The first thing I will need you to do is to Download this anti-virus program and install it.
This is free.
AVG free
======================================
Then::
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

=================
Next::

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
brad4g63

Posted 16 March 2008 - 05:27 PM

New Member

Topic Starter
Member
4 posts

Thanks A lot it seems to be doing great so far!

<h2>~Report.txt~</h2>

SDFix: Version 1.158

Run by user on Sun 03/16/2008 at 06:01 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\user\Desktop\SDFix

Checking Services :

Name:
cmdService
Network Monitor

Path:
C:\WINDOWS\Y3B0LiByYW1pdXM\command.exe
C:\Program Files\Network Monitor\netmon.exe service

cmdService - Deleted
Network Monitor - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\Y3B0LiByYW1pdXM\asappsrv.dll - Deleted
C:\WINDOWS\Y3B0LiByYW1pdXM\command.exe - Deleted
C:\WINDOWS\Y3B0LiByYW1pdXM\sa1XM21VsqYDxrg.vbs - Deleted
C:\DOCUME~1\USER\APPLIC~1\MICROS~1\WINDOWS\NQWAHW.EXE - Deleted
C:\PROGRA~1\DIVX\BAQUFU~1 - Deleted
C:\PROGRA~1\DIVX\BAQUFU~2 - Deleted
C:\PROGRA~1\MESSEN~1\WOMYBO~1.EXE - Deleted
C:\PROGRA~1\DIVX\BAQUFUS.DLL - Deleted
C:\PROGRA~1\DIVX\BAQUFU~1.DLL - Deleted
C:\PROGRA~1\DIVX\BAQUFU~2.DLL - Deleted
C:\PROGRA~1\MSNGAM~1\BUJIPI~2.DLL - Deleted
C:\PROGRA~1\MSNGAM~1\BUJIPI~1.DLL - Deleted
C:\Documents and Settings\user\Application Data\WinTouch\wintouch.cfg - Deleted
C:\Documents and Settings\user\Application Data\WinTouch\WinTouch.exe - Deleted
C:\Documents and Settings\user\Application Data\WinTouch\WTUninstaller.exe - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Program Files\InetGet2\emg.exe - Deleted
C:\Program Files\InetGet2\YazzleBundle-1560.exe - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\NoDNS\NoDNS.exe - Deleted
C:\Program Files\NoDNS\UnInstall.exe - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe - Deleted
C:\Program Files\nvcoi\nvcoi.exe.lzma - Deleted
C:\Program Files\Temporary\kernInst.exe - Deleted
C:\Program Files\xInsIDE\xInsIDE.exe - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b111.exe - Deleted
C:\WINDOWS\b116.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b138.exe - Deleted
C:\WINDOWS\b149.exe - Deleted
C:\WINDOWS\b151.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b153.exe - Deleted
C:\WINDOWS\b154.exe - Deleted
C:\WINDOWS\mrofinu1285.exe - Deleted
C:\WINDOWS\mrofinu72.exe - Deleted
C:\Program Files\.autoreg - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\service.exe - Deleted
C:\WINDOWS\system32\system.exe - Deleted
C:\WINDOWS\tk58.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted

Folder C:\Documents and Settings\user\Application Data\WinTouch - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Program Files\NoDNS - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\xInsIDE - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 18:11:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\WINDOWS\\system32\\system.exe"="C:\\WINDOWS\\system32\\system.exe:*:Disabled:system"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\DOCUME~1\user\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Finished!

<h2>~HiJackThis Log~</h2>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:39 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Documents and Settings\user\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {2DA49C55-AF50-4073-9D04-9C97453A4431} - C:\Program Files\MSN Gaming Zone\bujipiv777444.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CA5AA453-CF59-4AE8-809A-CE8FF3642F2B} - C:\Program Files\MSN Gaming Zone\bujipiv821058.dll (file missing)
O2 - BHO: 0 - {FADBC3D4-8551-4B32-37AB-9489948D21B3} - C:\Program Files\DivX\baqufus74.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [womybopaj] C:\Program Files\Messenger\womybopaj77798.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [kfrf] C:\PROGRA~1\COMMON~1\kfrf\kfrfm.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\user\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8049 bytes

#4
kahdah

Posted 16 March 2008 - 05:30 PM

GeekU Teacher

Retired Staff
15,822 posts

Okay great please go ahead with Combofix the istructions are in my previous post.

Post the Combofix log and a new Hijackthis log please.

#5
brad4g63

Posted 16 March 2008 - 05:56 PM

New Member

Topic Starter
Member
4 posts

ComboFix 08-03-14.4 - user 2008-03-16 18:48:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2136 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-16 17:59 . 2005-03-02 13:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-16 17:56 . 2008-03-16 17:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-16 17:35 . 2008-03-16 17:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-16 04:47 . 2008-03-16 04:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 04:47 . 2008-03-16 04:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-09 03:03 . 2008-03-09 03:03 <DIR> d---s---- C:\Documents and Settings\user\UserData
2008-03-08 17:05 . 2008-03-14 13:43 136,627 --a------ C:\WINDOWS\POTA777444.exe
2008-02-17 20:10 . 2008-02-17 20:10 270,698 --a------ C:\WINDOWS\system32\L3B1.tmp
2008-02-17 20:10 . 2008-02-17 20:10 181,965 --a------ C:\WINDOWS\system32\LF5A7.tmp
2008-02-17 20:10 . 2008-02-17 20:10 400 --a------ C:\WINDOWS\system32\L1322.tmp
2008-02-17 18:50 . 2008-02-17 18:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-17 16:02 . 2008-03-16 17:51 394 --a------ C:\WINDOWS\dellstat.ini
2008-02-17 15:55 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-17 15:55 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 23:06 --------- d-----w C:\Program Files\DivX
2008-03-08 07:52 --------- d-----w C:\Program Files\Common Files\kfrf
2008-01-02 19:46 36,868 ----a-w C:\Program Files\uninst-Particular.exe
2007-12-20 00:59 49,152 ----a-r C:\WINDOWS\system32\inetwh32.dll
2007-12-20 00:59 1,044,480 ----a-r C:\WINDOWS\system32\roboex32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA49C55-AF50-4073-9D04-9C97453A4431}]
C:\Program Files\MSN Gaming Zone\bujipiv777444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA5AA453-CF59-4AE8-809A-CE8FF3642F2B}]
C:\Program Files\MSN Gaming Zone\bujipiv821058.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FADBC3D4-8551-4B32-37AB-9489948D21B3}]
C:\Program Files\DivX\baqufus74.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" [2008-02-29 16:10 51184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 10:39 149040]
"kfrf"="C:\PROGRA~1\COMMON~1\kfrf\kfrfm.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 09:36 114688]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 10:34 69632]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30 45632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-09-07 14:51 49263]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 22:14 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 10:59 161328]
"RegistryMechanic"="" []
"womybopaj"="C:\Program Files\Messenger\womybopaj77798.exe" [ ]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\user\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 13:33:08 71152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PowerMenu.lnk - C:\Program Files\PowerMenu\PowerMenu.exe [2007-08-19 13:50:44 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 11:11]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 18:51:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-16 18:52:26
ComboFix-quarantined-files.txt 2008-03-16 23:52:11
ComboFix2.txt 2008-03-16 23:40:33

#6
kahdah

Posted 16 March 2008 - 06:03 PM

GeekU Teacher

Retired Staff
15,822 posts

Please install AVG free the instructions are in the first post.
=========
After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {2DA49C55-AF50-4073-9D04-9C97453A4431} - C:\Program Files\MSN Gaming Zone\bujipiv777444.dll (file missing)
O2 - BHO: (no name) - {CA5AA453-CF59-4AE8-809A-CE8FF3642F2B} - C:\Program Files\MSN Gaming Zone\bujipiv821058.dll (file missing)
O2 - BHO: 0 - {FADBC3D4-8551-4B32-37AB-9489948D21B3} - C:\Program Files\DivX\baqufus74.dll (file missing)
O4 - HKLM\..\Run: [womybopaj] C:\Program Files\Messenger\womybopaj77798.exe
O4 - HKCU\..\Run: [kfrf] C:\PROGRA~1\COMMON~1\kfrf\kfrfm.exe

Now click on Fix Checked and then close Hijackthis.
==================================
Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\POTA777444.exe
C:\WINDOWS\system32\L3B1.tmp
C:\WINDOWS\system32\LF5A7.tmp
C:\Program Files\Messenger\womybopaj77798.exe
C:\Program Files\Common Files\kfrf
C:\Program Files\DivX

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

#7
brad4g63

Posted 16 March 2008 - 06:45 PM

New Member

Topic Starter
Member
4 posts

C:\WINDOWS\POTA777444.exe moved successfully.
C:\WINDOWS\system32\L3B1.tmp moved successfully.
C:\WINDOWS\system32\LF5A7.tmp moved successfully.
File/Folder C:\Program Files\Messenger\womybopaj77798.exe not found.
C:\Program Files\Common Files\kfrf\kfrfd moved successfully.
C:\Program Files\Common Files\kfrf moved successfully.
C:\Program Files\DivX\DivX Web Player\Skins moved successfully.
C:\Program Files\DivX\DivX Web Player\Microsoft.VC80.CRT moved successfully.
C:\Program Files\DivX\DivX Web Player moved successfully.
C:\Program Files\DivX\DivX Content Uploader moved successfully.
C:\Program Files\DivX\AutoUpdate moved successfully.
C:\Program Files\DivX\Artwork moved successfully.
C:\Program Files\DivX moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03162008_194623