Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ravmon, Sogou, 67759.exe - help appreciated [RESOLVED]

Started by sirdjsmith , Apr 09 2008 08:09 AM

  • This topic is locked This topic is locked

#1
sirdjsmith
Posted 09 April 2008 - 08:09 AM

sirdjsmith

    New Member

  • Member
  • Pip
  • 6 posts
Gents,
I've had something on my system now for a good couple of months, and yet to get to the bottom of it myself.
I have some fairly conspicuous processess running including one called 67759.exe. It occasionally hogs up resources & seems to be using the internet connection. On top of this, i've also had Ravmon.exe & Sogou (adware?) and although i seem to have got rid of it at the moment, it always seems to find its way back onto my system! I occasionally get ad's pop up whilst using IE, and I think somethings nested in amongst here. Firefox is working a treat and no problems here.

I have completed all the requests before posting my HiJack log here- I have used SUperantispyware, AVG Antispyware + Spybot & adaware in the past few months & they have not managed to clean. I also had AVG, then tried a 30day norten, now back to AVG, but with no avail. Have also used ATF cleaner & ensured XP is uptodate.

Please find my hijack log & panda active scan logs below. Help very much appreciated! anything that you can suggest :)
Thanks,
Darren


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06:23, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061116
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061116
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co...amp;ibd=6061116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Century Class - {B9893324-6B8F-4C54-98A8-D22194403550} - C:\WINDOWS\system32\SoTools.dll
O2 - BHO: BHO Class - {BCBD80C9-6AD7-48ed-8DF1-6963414B3649} - C:\WINDOWS\system32\flym.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Invoke Class - {FFB3D068-F8DA-4370-A71E-83B1C959CDD6} - C:\WINDOWS\system32\c671.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [orelkdn] rundll32 "C:\WINDOWS\Downlo~1\orelkdn.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [h9c] rundll32 "C:\WINDOWS\Downlo~1\h9c.dll",Run
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://djsmithster.s...ad/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Windows Management Prints System (spoo1v) - Unknown owner - spoo1v.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 13511 bytes


UNINSTALL LIST
Ad-Aware SE Personal
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Library
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 7.0.9
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Soundbooth CS3 Scores
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVG 7.5
AVG Anti-Spyware 7.5
Battlecraft 1942
Battlefield 1942
Battlefield 1942: The Road To Rome
Battlefield 2™
Battlefield 2: Special Forces
Battlefield 2142
Battlefield Vietnam™
BitComet 0.59
Broadcom Advanced Control Suite
BT Voyager Wireless Utility
CloneCD
Dell CinePlayer
Dell Driver Reset Tool
Dell Support 3.2
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Enemy Territory - QUAKE Wars™ 1.1 Patch
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Image Clip Palette
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX4800_4200 User's Guide
Football Manager 2008
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IGN Download Manager 2.3.3
InterVideo FilterSDK for Hauppauge
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
LimeWire PRO 4.9.11
Logitech MouseWare 9.79.1
Magic ISO Maker v5.4 (build 0239)
MCU
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works
Mouse Suite for Desktop Computers
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NVIDIA Drivers
Panda ActiveScan 2.0
PartyPoker
PB-WC100 USB Camera
PDF Settings
Philips Photo Manager 1.0
PowerISO
PunkBuster for Battlefield Vietnam
QuickTime
RealPlayer
Samsung Mobile USB Modem Software
Samsung USB Driver (MCCI 4.24)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Skype 3.0
Skype Plugin Manager
Sonic Activation Module
Sonic Encoders
SopCast 1.1.2
Steam™
SUPERAntiSpyware Free Edition
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
World of Warcraft





ACTIVE SCAN----------------
=======================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\jfa85k2q.default\sessionstore.js[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\jfa85k2q.default\sessionstore.js[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\jfa85k2q.default\sessionstore.js[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\jfa85k2q.default\sessionstore.js[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\jfa85k2q.default\sessionstore.js[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\jfa85k2q.default\sessionstore.js[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\jfa85k2q.default\sessionstore.js[.bs.serving-sys.com/]
02898856 Adware/BaiduBar Adware No 0 Yes No C:\WINDOWS\6.tmp
02903468 Adware/AdHelper Adware No 0 Yes No C:\WINDOWS\system32\c671.dlltmp
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location \
;===============================================================================
=================================================================================
===================
No C:\WINDOWS\DOWNLOADED PROGRAM FILES\H9C.DLL \
No C:\WINDOWS\DOWNLOADED PROGRAM FILES\ORELKDN.DLL \
No C:\WINDOWS\SYSTEM32\5C1.DLL \
No C:\WINDOWS\SYSTEM32\67751.EXE \
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description \
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

Advertisements

#2
greyknight17
Posted 13 April 2008 - 09:45 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Darren and welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: Century Class - {B9893324-6B8F-4C54-98A8-D22194403550} - C:\WINDOWS\system32\SoTools.dll
O2 - BHO: BHO Class - {BCBD80C9-6AD7-48ed-8DF1-6963414B3649} - C:\WINDOWS\system32\flym.dll (file missing)
O2 - BHO: Invoke Class - {FFB3D068-F8DA-4370-A71E-83B1C959CDD6} - C:\WINDOWS\system32\c671.dll
O4 - HKLM\..\Policies\Explorer\Run: [orelkdn] rundll32 "C:\WINDOWS\Downlo~1\orelkdn.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [h9c] rundll32 "C:\WINDOWS\Downlo~1\h9c.dll",Run
O23 - Service: Windows Management Prints System (spoo1v) - Unknown owner - spoo1v.exe (file missing)

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop spoo1v
sc delete spoo1v
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\SoTools.dll
C:\WINDOWS\system32\c671.dll
C:\WINDOWS\Downlo~1\orelkdn.dll
C:\WINDOWS\Downlo~1\h9c.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ORELKDN.DLL
C:\WINDOWS\SYSTEM32\5C1.DLL

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
sirdjsmith
Posted 19 April 2008 - 09:53 AM

sirdjsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
GreyKNight,
Thanks for your help. I have stepped through your instrutions as below.

When you asked me to delete the files/folders below I couldn't remove
C:\WINDOWS\system32\c671.dll
and C:\WINDOWS\SYSTEM32\5C1.DLL
I was told the files were in use / access denied.

Nor could I find the following folder 'download' folder and files.
C:\WINDOWS\Downlo~1\orelkdn.dll
C:\WINDOWS\Downlo~1\h9c.dll

I went ahead and did a combofix, find the log below.

On restart, I am recieving 2 RUNDLL errors:
"error loading C:\WINDOWS\SYSTEM32\5C1.DLL the specified module could not be found" AND
"error loading C:\WINDOWS\Downlo~1\h9c.dll the specified module could not be found"

Thanks in advance.. What else do I need to do?

Darren



ComboFix 08-04-18.3 - Darren 2008-04-19 16:36:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1469 [GMT 1:00]
Running from: C:\Documents and Settings\Darren\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Darren\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\a1681.dat
C:\Documents and Settings\All Users\Application Data\t\b1681.dat
C:\Documents and Settings\All Users\Application Data\t\k1681.dat
C:\Documents and Settings\All Users\Application Data\t\p1681.dat
C:\Documents and Settings\All Users\Application Data\t\r1681.dat
C:\Documents and Settings\All Users\Application Data\td
C:\Documents and Settings\All Users\Application Data\td\a1003.dat
C:\Documents and Settings\All Users\Application Data\td\b1003.dat
C:\Documents and Settings\All Users\Application Data\td\k1003.dat
C:\Documents and Settings\All Users\Application Data\td\p1003.dat
C:\Documents and Settings\All Users\Application Data\td\r1003.dat
C:\Documents and Settings\Darren\ravmonlog
C:\WINDOWS\871.bmp
C:\WINDOWS\Downloaded Program Files.\die5zw3k.dll
C:\WINDOWS\Downloaded Program Files.\fcel.dll
C:\WINDOWS\Downloaded Program Files.\fgq2.dll
C:\WINDOWS\Downloaded Program Files.\h9c.dll
C:\WINDOWS\Downloaded Program Files.\i429qz.dll
C:\WINDOWS\Downloaded Program Files.\k8hmbw.dll
C:\WINDOWS\Downloaded Program Files.\knv6kc.dll
C:\WINDOWS\Downloaded Program Files.\mqvdr8nu.dll
C:\WINDOWS\Downloaded Program Files.\s39.dll
C:\WINDOWS\Downloaded Program Files.\sq28v58g.dll
C:\WINDOWS\system32\5c1.dll
C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\drivers\3mn4ytp.sys
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\tempaq

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_MS_2FAX
-------\Service_ms_2fax
-------\Legacy_3mn4ytp
-------\3mn4ytp


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-11 10:42 . 2008-04-11 10:42 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\OpenOffice.org2
2008-04-11 10:29 . 2008-04-11 10:29 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-11 10:25 . 2008-04-19 16:20 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-09 15:04 . 2008-04-09 15:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 13:42 . 2008-04-09 13:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-09 13:42 . 2008-04-09 13:43 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\AVG7
2008-04-09 10:20 . 2008-04-09 10:20 <DIR> d-------- C:\Program Files\Panda Security
2008-04-08 22:57 . 2008-04-08 22:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-08 22:57 . 2008-04-08 22:57 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\SUPERAntiSpyware.com
2008-04-08 22:57 . 2008-04-08 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-08 20:31 . 2008-04-08 20:31 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\Grisoft
2008-04-08 20:30 . 2008-04-09 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 20:30 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 04:05 . 2008-04-05 04:05 <DIR> d-------- C:\Program Files\iTunes
2008-04-05 04:05 . 2008-04-19 16:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-05 04:05 . 2008-04-05 04:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-31 18:56 . 2008-03-31 18:56 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\Ventrilo
2008-03-31 18:50 . 2008-03-31 18:50 <DIR> d-------- C:\Program Files\Ventrilo
2008-03-31 18:50 . 2008-04-08 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 18:34 --------- d-----w C:\Program Files\Apple Software Update
2008-04-18 12:04 53,248 ----a-r C:\WINDOWS\73e1.exe
2008-04-11 20:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-11 09:29 --------- d-----w C:\Program Files\Java
2008-04-11 09:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 09:14 --------- d-----w C:\Program Files\EA GAMES
2008-04-09 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-08 19:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 19:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-05 03:05 --------- d-----w C:\Program Files\iPod
2008-04-05 03:04 --------- d-----w C:\Program Files\QuickTime
2008-03-31 20:49 --------- d-----w C:\Documents and Settings\Darren\Application Data\Skype
2008-03-16 22:37 --------- d-----w C:\Program Files\Electronic Arts
2008-02-23 19:38 --------- d-----w C:\Documents and Settings\Darren\Application Data\uTorrent
2008-02-17 17:21 470,016 ----a-w C:\WINDOWS\6.tmp
2008-01-19 10:06 358,575 ----a-w C:\WINDOWS\A.tmp
2007-09-29 11:35 22,328 ----a-w C:\Documents and Settings\Darren\Application Data\PnkBstrK.sys
2007-05-31 19:04 40,160 ----a-w C:\Documents and Settings\Darren\Application Data\GDIPFONTCACHEV1.DAT
2007-03-12 10:04 160 ----a-w C:\Documents and Settings\Darren\Application Data\wklnhst.dat
2006-11-22 23:08 251 ----a-w C:\Program Files\wt3d.ini
2004-09-10 13:40 75,264 ----a-w C:\Program Files\DECCHECK.exe
2004-09-10 13:40 5,970 ----a-w C:\Program Files\eula.txt
2006-11-22 23:04 168 --sh--r C:\WINDOWS\system32\79BF2FFFAA.sys
2006-11-22 23:04 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFB3D068-F8DA-4370-A71E-83B1C959CDD6}]
2008-04-18 13:04 53248 --a------ C:\WINDOWS\system32\c671.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 09:12 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\dlm.exe" [2007-03-05 13:57 1103480]
"Steam"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-01 03:54 7561216]
"NvMediaCenter"="NvMCTray.dll" [2006-04-01 03:54 86016 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 23:00 282624 C:\WINDOWS\stsystra.exe]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2006-09-21 16:40 137216]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 22:14 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 20:21 57344]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"PMX Daemon"="ICO.EXE" [2006-06-09 13:47 47104 C:\WINDOWS\system32\ico.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"Auto Run Software for Photo Frame"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 11:03 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-09 13:42 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"5c1"= rundll32 C:\WINDOWS\system32\5c1.dll,Always
"h9c"= rundll32 "C:\WINDOWS\Downlo~1\h9c.dll",Run

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14957:TCP"= 14957:TCP:NortonAV
"17849:TCP"= 17849:TCP:NortonAV
"16566:TCP"= 16566:TCP:NortonAV
"15818:TCP"= 15818:TCP:NortonAV
"15781:TCP"= 15781:TCP:NortonAV
"16937:TCP"= 16937:TCP:NortonAV
"15618:TCP"= 15618:TCP:NortonAV
"18148:TCP"= 18148:TCP:NortonAV
"17466:TCP"= 17466:TCP:NortonAV
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"17029:TCP"= 17029:TCP:NortonAV
"12145:TCP"= 12145:TCP:NortonAV
"12794:TCP"= 12794:TCP:NortonAV
"16901:TCP"= 16901:TCP:NortonAV
"15533:TCP"= 15533:TCP:NortonAV

R1 pmxmouse;PMXMOUSE;C:\WINDOWS\system32\DRIVERS\pmxmouse.sys [2006-04-24 11:57]
R3 HCW99BDA;Hauppauge Nova-DT Dual DVB-T Tuner;C:\WINDOWS\system32\Drivers\hcw99bda.sys [2007-03-23 10:51]
R3 hcw99rc;Hauppauge Nova-DT IR Driver;C:\WINDOWS\system32\Drivers\hcw99rc.sys [2007-03-23 10:51]
S3 pmxps2m;PMXPS2M;C:\WINDOWS\system32\DRIVERS\pmxps2m.sys [2006-05-30 21:18]
S3 t2embek;t2embek;C:\WINDOWS\system32\drivers\t2embek.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e2cf027-b6f5-11db-9ccf-009096f22030}]
\Shell\Auto\command - J:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ff8a536-d89b-11db-9d29-009096f22030}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdf67c33-86eb-11db-9c83-009096f22030}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 18:34:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 16:41:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\pmxmiced.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-19 16:45:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 15:45:23

Pre-Run: 48,296,898,560 bytes free
Post-Run: 48,224,501,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

266 --- E O F --- 2008-04-09 12:40:24
  • 0

#4
greyknight17
Posted 19 April 2008 - 03:25 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Darren, don't worry about those errors. We will fix those up shortly...

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

Driver::
t2embek

File::
C:\WINDOWS\system32\c671.dll
C:\WINDOWS\Downlo~1\orelkdn.dll
C:\WINDOWS\73e1.exe
C:\WINDOWS\6.tmp
C:\WINDOWS\A.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFB3D068-F8DA-4370-A71E-83B1C959CDD6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Auto Run Software for Photo Frame"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"5c1"=-
"h9c"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
sirdjsmith
Posted 19 April 2008 - 04:26 PM

sirdjsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
GreyKnight,
The link below for FlashDisinfector.exe doean't seem to work.. and all other references to download this file on google seem to point to the same address!?.. which is weird.. Do you know of another? or the correct URL?

You may also want to know that whenever I load IE (i usually use Firefox)
AVG anti spyware detects the following-
Threat detected
When opening file: windows\system32\67751.exe
Trojan horse BHO.DOO

Cheers,
Darren
  • 0

#6
greyknight17
Posted 19 April 2008 - 06:25 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Darren, did you click on the link itself or copied and pasted it? If copy/paste, you might have copied the text (with the 3 dots in the middle) instead of the link itself. Click on the link...it should work. I just tried it now.

For IE, does it still detect that threat? It should be removed already after your last combofix run. Test it out and let me know after you run the latest fix (run that and then try out IE).
  • 0

#7
sirdjsmith
Posted 22 April 2008 - 02:51 AM

sirdjsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Grey Knight,
Thanks again for prompt response. I simply could not connect to TechSupportForum from my home computer, either through IE or Firefox. The only thing I can think of is that something is blocking it's access.. I have downloaded the flash disinfector from work just fine and will give your post a go this evening.

I can confirm when i load up IE, 67751.exe is being detected by AVG AntiSpyware. I will try again after the next fix.

I'm computer competant & I work in IT. I can normally get rid of spyware etc myself but this one has completely stumped me!.. Its not going to be easy :)

Thanks again,
Darren

Edited by sirdjsmith, 22 April 2008 - 02:52 AM.

  • 0

#8
sirdjsmith
Posted 22 April 2008 - 01:49 PM

sirdjsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, find below the new combofix log--
IE is not currently invoking any security warnings which is a good sign at the moment...
Whats next?
I'll post if I notice anything as per.

Thanks,
Darren




ComboFix 08-04-18.3 - Darren 2008-04-22 20:37:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1320 [GMT 1:00]
Running from: C:\Documents and Settings\Darren\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Darren\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\6.tmp
C:\WINDOWS\73e1.exe
C:\WINDOWS\A.tmp
C:\WINDOWS\Downlo~1\orelkdn.dll
C:\WINDOWS\system32\c671.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\6.tmp
C:\WINDOWS\73e1.exe
C:\WINDOWS\A.tmp
C:\WINDOWS\Downlo~1\orelkdn.dll
C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\c671.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_T2EMBEK
-------\Service_t2embek


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-20 11:36 . 2008-04-20 11:36 <DIR> d-------- C:\Program Files\TVAnts
2008-04-11 10:42 . 2008-04-11 10:42 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\OpenOffice.org2
2008-04-11 10:29 . 2008-04-11 10:29 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-11 10:25 . 2008-04-22 20:33 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-09 15:04 . 2008-04-09 15:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 13:42 . 2008-04-09 13:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-09 13:42 . 2008-04-09 13:43 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\AVG7
2008-04-09 10:20 . 2008-04-09 10:20 <DIR> d-------- C:\Program Files\Panda Security
2008-04-08 22:57 . 2008-04-08 22:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-08 22:57 . 2008-04-08 22:57 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\SUPERAntiSpyware.com
2008-04-08 22:57 . 2008-04-08 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-08 20:31 . 2008-04-08 20:31 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\Grisoft
2008-04-08 20:30 . 2008-04-09 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 20:30 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 04:05 . 2008-04-05 04:05 <DIR> d-------- C:\Program Files\iTunes
2008-04-05 04:05 . 2008-04-22 18:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-05 04:05 . 2008-04-05 04:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-31 18:56 . 2008-03-31 18:56 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\Ventrilo
2008-03-31 18:50 . 2008-03-31 18:50 <DIR> d-------- C:\Program Files\Ventrilo
2008-03-31 18:50 . 2008-04-08 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 14:11 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-18 18:34 --------- d-----w C:\Program Files\Apple Software Update
2008-04-11 09:29 --------- d-----w C:\Program Files\Java
2008-04-11 09:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 09:14 --------- d-----w C:\Program Files\EA GAMES
2008-04-09 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-08 19:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 19:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-05 03:05 --------- d-----w C:\Program Files\iPod
2008-04-05 03:04 --------- d-----w C:\Program Files\QuickTime
2008-03-31 20:49 --------- d-----w C:\Documents and Settings\Darren\Application Data\Skype
2008-03-16 22:37 --------- d-----w C:\Program Files\Electronic Arts
2008-02-23 19:38 --------- d-----w C:\Documents and Settings\Darren\Application Data\uTorrent
2007-09-29 11:35 22,328 ----a-w C:\Documents and Settings\Darren\Application Data\PnkBstrK.sys
2007-05-31 19:04 40,160 ----a-w C:\Documents and Settings\Darren\Application Data\GDIPFONTCACHEV1.DAT
2007-03-12 10:04 160 ----a-w C:\Documents and Settings\Darren\Application Data\wklnhst.dat
2006-11-22 23:08 251 ----a-w C:\Program Files\wt3d.ini
2004-09-10 13:40 75,264 ----a-w C:\Program Files\DECCHECK.exe
2004-09-10 13:40 5,970 ----a-w C:\Program Files\eula.txt
2006-11-22 23:04 168 --sh--r C:\WINDOWS\system32\79BF2FFFAA.sys
2006-11-22 23:04 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_16.45.13.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 15:40:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 19:41:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-11 20:40:36 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2008-04-20 14:10:08 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 09:12 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\dlm.exe" [2007-03-05 13:57 1103480]
"Steam"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-01 03:54 7561216]
"NvMediaCenter"="NvMCTray.dll" [2006-04-01 03:54 86016 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 23:00 282624 C:\WINDOWS\stsystra.exe]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2006-09-21 16:40 137216]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 05:00 98304]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 22:14 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 20:21 57344]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"PMX Daemon"="ICO.EXE" [2006-06-09 13:47 47104 C:\WINDOWS\system32\ico.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 11:03 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-09 13:42 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14957:TCP"= 14957:TCP:NortonAV
"17849:TCP"= 17849:TCP:NortonAV
"16566:TCP"= 16566:TCP:NortonAV
"15818:TCP"= 15818:TCP:NortonAV
"15781:TCP"= 15781:TCP:NortonAV
"16937:TCP"= 16937:TCP:NortonAV
"15618:TCP"= 15618:TCP:NortonAV
"18148:TCP"= 18148:TCP:NortonAV
"17466:TCP"= 17466:TCP:NortonAV
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"17029:TCP"= 17029:TCP:NortonAV
"12145:TCP"= 12145:TCP:NortonAV
"12794:TCP"= 12794:TCP:NortonAV
"16901:TCP"= 16901:TCP:NortonAV
"15533:TCP"= 15533:TCP:NortonAV

R1 pmxmouse;PMXMOUSE;C:\WINDOWS\system32\DRIVERS\pmxmouse.sys [2006-04-24 11:57]
R3 HCW99BDA;Hauppauge Nova-DT Dual DVB-T Tuner;C:\WINDOWS\system32\Drivers\hcw99bda.sys [2007-03-23 10:51]
R3 hcw99rc;Hauppauge Nova-DT IR Driver;C:\WINDOWS\system32\Drivers\hcw99rc.sys [2007-03-23 10:51]
S3 pmxps2m;PMXPS2M;C:\WINDOWS\system32\DRIVERS\pmxps2m.sys [2006-05-30 21:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e2cf027-b6f5-11db-9ccf-009096f22030}]
\Shell\Auto\command - J:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ff8a536-d89b-11db-9d29-009096f22030}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdf67c33-86eb-11db-9c83-009096f22030}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 18:34:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 20:42:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\pmxmiced.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-22 20:47:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 19:47:22
ComboFix2.txt 2008-04-19 15:45:40

Pre-Run: 46,793,797,632 bytes free
Post-Run: 46,811,451,392 bytes free

238 --- E O F --- 2008-04-09 12:40:24
  • 0

#9
greyknight17
Posted 22 April 2008 - 07:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Darren, I think that last run did the trick...

Did you run the Flash Disinfector yet? Make sure to use it on any flash drives you used recently.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.

Edited by greyknight17, 22 April 2008 - 07:25 PM.

  • 0

#10
sirdjsmith
Posted 23 April 2008 - 12:17 AM

sirdjsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
System is looking ace!
Thanks very much for your help. all back to normal!..
Cheers,
Darren
  • 0

#11
greyknight17
Posted 23 April 2008 - 07:54 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP