Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i think i have trojans and adware not really sure [CLOSED]

Started by mattsat , May 17 2008 04:44 AM

  • This topic is locked This topic is locked

#1
mattsat
Posted 17 May 2008 - 04:44 AM

mattsat

    New Member

  • Member
  • Pip
  • 9 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:25 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: 527631 helper - {54160F28-994B-48DD-8D83-1B2F6B9EB054} - C:\WINDOWS\system32\527631\527631.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX5900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIP.EXE /FU "C:\WINDOWS\TEMP\E_S272.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...OCX/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe

--
End of file - 7812 bytes
  • 0

Advertisements

#2
greyknight17
Posted 17 May 2008 - 01:58 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Do you know what that PKR Pal program is used for?

What problems are you having now?

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
O2 - BHO: 527631 helper - {54160F28-994B-48DD-8D83-1B2F6B9EB054} - C:\WINDOWS\system32\527631\527631.dll (file missing)

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\527631\

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
mattsat
Posted 17 May 2008 - 06:18 PM

mattsat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
pkr pal was an incompleted download and the problems i am having is the computer is getting really slow

ComboFix 08-05-15.3 - matt 2008-05-18 10:05:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.127 [GMT 10:00]
Running from: C:\Documents and Settings\matt\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Patrick\Application Data\MBOLS~1
C:\Program Files\Common Files\{34546~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\dobe~1
C:\Program Files\sembly~1
C:\Program Files\sembly~1\??sembly\

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 10:04 . 2008-05-18 10:04 1,024 --ah----- C:\Documents and Settings\Default User.WINDOWS\ntuser.dat.LOG
2008-05-17 20:35 . 2008-05-17 20:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 19:59 . 2008-05-17 20:15 1,646 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-15 19:57 . 2008-05-15 19:58 <DIR> d-------- C:\Program Files\UltimateBet
2008-05-13 21:51 . 2008-05-13 21:53 <DIR> d-------- C:\Program Files\Winamp
2008-05-13 21:51 . 2008-05-16 16:31 <DIR> d-------- C:\Documents and Settings\matt\Application Data\Winamp
2008-05-07 17:47 . 2008-05-11 10:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-07 17:44 . 2008-05-18 09:53 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-07 17:44 . 2008-05-07 17:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-07 17:44 . 2008-05-07 17:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-07 17:44 . 2008-05-07 17:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-07 17:43 . 2008-05-07 17:43 <DIR> d-------- C:\Program Files\AVG
2008-05-07 17:43 . 2008-05-07 17:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-07 17:41 . 2008-05-07 17:44 8,192 --a------ C:\Documents and Settings\WSUSUP~1
2008-05-07 16:54 . 2008-05-07 16:54 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-05-06 00:52 . 2008-05-06 00:52 <DIR> d-------- C:\WINDOWS\system32\N360_BACKUP
2008-05-05 17:30 . 2008-05-07 16:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-05-05 16:59 . 2008-05-05 17:59 <DIR> d-------- C:\Documents and Settings\matt\Application Data\Symantec
2008-05-05 16:55 . 2008-05-05 16:55 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
2008-05-05 16:55 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-05 16:55 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-04-29 12:16 . 2004-08-04 22:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-29 12:15 . 2008-04-29 12:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-29 12:13 . 2008-04-29 12:13 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-29 12:13 . 2008-04-29 12:14 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-29 12:12 . 2008-04-29 12:13 <DIR> d-------- C:\ffd17f206b1b80fa36a2199e703d7cb9
2008-04-27 18:19 . 2008-04-27 18:19 <DIR> d-------- C:\Documents and Settings\matt\Application Data\EPSON
2008-04-25 20:26 . 2008-04-25 20:26 <DIR> d-------- C:\Program Files\In The Money
2008-04-24 20:27 . 2008-04-24 20:27 3,120 --a------ C:\WINDOWS\system32\9b98b0a1-7adb-4dbd-876e-bd5f20522a67.dll
2008-04-24 20:27 . 2008-04-24 20:27 3,120 --a------ C:\WINDOWS\157aa070-b6d0-472d-910e-5b658f3d2e49.ocx
2008-04-20 00:09 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-20 00:09 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-20 00:08 . 2008-04-20 00:09 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 14:10 --------- d-----w C:\Program Files\PokerStars
2008-05-17 12:56 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-17 10:30 --------- d-----w C:\Documents and Settings\matt\Application Data\LimeWire
2008-05-15 06:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-14 08:57 --------- d-----w C:\Program Files\PartyGaming
2008-05-09 13:06 --------- d-----w C:\Program Files\World Lawn Bowls
2008-05-07 06:54 --------- d-----w C:\Program Files\Symantec
2008-05-07 06:54 --------- d-----w C:\Program Files\Norton 360
2008-05-07 06:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-15 10:27 --------- d-----w C:\Documents and Settings\matt\Application Data\Microgaming
2008-04-07 09:16 --------- d-----w C:\Program Files\SNGEGT
2008-04-06 10:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 10:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 10:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\UDL
2008-04-06 10:25 --------- d-----w C:\Program Files\epson
2008-04-06 06:33 --------- d-----w C:\Documents and Settings\matt\Application Data\U3
2008-04-06 06:20 --------- d-----w C:\Program Files\Microsoft Works
2008-04-05 12:30 --------- d-----w C:\Program Files\LimeWire
2008-04-05 09:14 --------- d-----w C:\Program Files\Windows Live
2008-04-05 09:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 09:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-04-05 01:54 --------- d-----w C:\Program Files\NoPayPOKER
2008-04-01 04:18 --------- d-----w C:\Program Files\Google
2008-03-31 06:03 --------- d-----w C:\Program Files\Java
2008-03-31 05:26 --------- d-----w C:\Program Files\Poker Royale
2008-03-28 23:46 --------- d-----w C:\Program Files\GDI
2008-03-28 23:44 --------- d-----w C:\Program Files\UIU
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-08-31 09:52 22 ----a-w C:\Program Files\c.zip
2007-08-31 09:52 22 ----a-w C:\Program Files\b.zip
2007-08-31 09:51 22 ----a-w C:\Program Files\a.zip
2007-03-09 06:17 75 ----a-w C:\Documents and Settings\Patrick\n.bat
2007-03-09 06:17 122 ----a-w C:\Documents and Settings\Patrick\yyd.bat
2007-03-09 06:17 0 ----a-w C:\Documents and Settings\Patrick\x.dat
2007-03-09 06:15 57,344 ----a-w C:\Documents and Settings\Patrick\setup9x.exe
2007-03-09 06:15 25,214 ----a-w C:\Program Files\B.ico
2007-03-09 06:15 25,214 ----a-w C:\Program Files\A.ico
2007-03-08 10:08 57,344 ----a-w C:\Documents and Settings\Guest\setup9x.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-05 17:34 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-31 16:27 171448]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 14:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 03:15 75520]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 18:30 517768]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-07 17:44 1177368]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352]

C:\Documents and Settings\matt\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-09 07:32:57 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NoPayPOKER\\nopaypoker.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-07 17:44]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-07 17:44]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-07 17:44]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-07 17:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e80cba83-fd6a-11dc-bce5-00904b589821}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 10:09:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-05-18 10:13:52
ComboFix-quarantined-files.txt 2008-05-18 00:13:48

Pre-Run: 40,419,495,936 bytes free
Post-Run: 40,767,971,328 bytes free

162 --- E O F --- 2008-05-17 17:03:48
  • 0

#4
greyknight17
Posted 18 May 2008 - 08:28 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you have any idea what these files are for? If not, please delete them now:

C:\Program Files\c.zip
C:\Program Files\b.zip
C:\Program Files\a.zip
C:\Documents and Settings\Patrick\n.bat
C:\Documents and Settings\Patrick\yyd.bat
C:\Documents and Settings\Patrick\x.dat
C:\Documents and Settings\Patrick\setup9x.exe
C:\Program Files\B.ico
C:\Program Files\A.ico
C:\Documents and Settings\Guest\setup9x.exe

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\Documents and Settings\WSUSUP~1
C:\WINDOWS\system32\9b98b0a1-7adb-4dbd-876e-bd5f20522a67.dll
C:\WINDOWS\157aa070-b6d0-472d-910e-5b658f3d2e49.ocx
Folder::
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?
  • 0

#5
mattsat
Posted 19 May 2008 - 01:05 AM

mattsat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-05-15.3 - matt 2008-05-19 16:43:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.81 [GMT 10:00]Running from: C:\Documents and Settings\matt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\matt\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\WSUSUP~1
C:\WINDOWS\157aa070-b6d0-472d-910e-5b658f3d2e49.ocx
C:\WINDOWS\system32\9b98b0a1-7adb-4dbd-876e-bd5f20522a67.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\WSUSUP~1
C:\WINDOWS\157aa070-b6d0-472d-910e-5b658f3d2e49.ocx
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll
C:\WINDOWS\system32\9b98b0a1-7adb-4dbd-876e-bd5f20522a67.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-18 10:04 . 2008-05-18 10:04 1,024 --ah----- C:\Documents and Settings\Default User.WINDOWS\ntuser.dat.LOG
2008-05-17 20:35 . 2008-05-17 20:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 19:59 . 2008-05-17 20:15 1,646 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-15 19:57 . 2008-05-15 19:58 <DIR> d-------- C:\Program Files\UltimateBet
2008-05-13 21:51 . 2008-05-13 21:53 <DIR> d-------- C:\Program Files\Winamp
2008-05-13 21:51 . 2008-05-16 16:31 <DIR> d-------- C:\Documents and Settings\matt\Application Data\Winamp
2008-05-07 17:47 . 2008-05-11 10:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-07 17:44 . 2008-05-19 16:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-07 17:44 . 2008-05-07 17:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-07 17:44 . 2008-05-07 17:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-07 17:44 . 2008-05-07 17:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-07 17:43 . 2008-05-07 17:43 <DIR> d-------- C:\Program Files\AVG
2008-05-07 17:43 . 2008-05-07 17:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-06 00:52 . 2008-05-06 00:52 <DIR> d-------- C:\WINDOWS\system32\N360_BACKUP
2008-05-05 17:30 . 2008-05-07 16:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-05-05 16:59 . 2008-05-05 17:59 <DIR> d-------- C:\Documents and Settings\matt\Application Data\Symantec
2008-05-05 16:55 . 2008-05-05 16:55 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
2008-05-05 16:55 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-05 16:55 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-04-29 12:16 . 2004-08-04 22:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-29 12:15 . 2008-04-29 12:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-29 12:13 . 2008-04-29 12:13 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-29 12:13 . 2008-04-29 12:14 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-29 12:12 . 2008-04-29 12:13 <DIR> d-------- C:\ffd17f206b1b80fa36a2199e703d7cb9
2008-04-27 18:19 . 2008-04-27 18:19 <DIR> d-------- C:\Documents and Settings\matt\Application Data\EPSON
2008-04-25 20:26 . 2008-04-25 20:26 <DIR> d-------- C:\Program Files\In The Money
2008-04-20 00:09 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-20 00:09 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-20 00:08 . 2008-04-20 00:09 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 06:37 --------- d-----w C:\Documents and Settings\matt\Application Data\LimeWire
2008-05-18 10:14 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-17 14:10 --------- d-----w C:\Program Files\PokerStars
2008-05-15 06:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-14 08:57 --------- d-----w C:\Program Files\PartyGaming
2008-05-09 13:06 --------- d-----w C:\Program Files\World Lawn Bowls
2008-05-07 06:54 --------- d-----w C:\Program Files\Symantec
2008-05-07 06:54 --------- d-----w C:\Program Files\Norton 360
2008-05-07 06:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-15 10:27 --------- d-----w C:\Documents and Settings\matt\Application Data\Microgaming
2008-04-07 09:16 --------- d-----w C:\Program Files\SNGEGT
2008-04-06 10:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 10:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 10:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\UDL
2008-04-06 10:25 --------- d-----w C:\Program Files\epson
2008-04-06 06:33 --------- d-----w C:\Documents and Settings\matt\Application Data\U3
2008-04-06 06:20 --------- d-----w C:\Program Files\Microsoft Works
2008-04-05 12:30 --------- d-----w C:\Program Files\LimeWire
2008-04-05 09:14 --------- d-----w C:\Program Files\Windows Live
2008-04-05 09:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 09:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-04-05 01:54 --------- d-----w C:\Program Files\NoPayPOKER
2008-04-01 04:18 --------- d-----w C:\Program Files\Google
2008-03-31 06:03 --------- d-----w C:\Program Files\Java
2008-03-31 05:26 --------- d-----w C:\Program Files\Poker Royale
2008-03-28 23:46 --------- d-----w C:\Program Files\GDI
2008-03-28 23:44 --------- d-----w C:\Program Files\UIU
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-18_10.13.35.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 10:23:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 06:31:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-05 17:34 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-31 16:27 171448]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 14:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 03:15 75520]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 18:30 517768]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-07 17:44 1177368]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352]

C:\Documents and Settings\matt\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-09 07:32:57 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NoPayPOKER\\nopaypoker.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-07 17:44]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-07 17:44]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-07 17:44]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-07 17:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e80cba83-fd6a-11dc-bce5-00904b589821}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 16:49:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-05-19 16:52:46
ComboFix-quarantined-files.txt 2008-05-19 06:52:39
ComboFix2.txt 2008-05-18 00:13:54

Pre-Run: 40,435,679,232 bytes free
Post-Run: 40,768,229,376 bytes free

156 --- E O F --- 2008-05-17 17:03:48

it is running better but still a little slow
  • 0

#6
greyknight17
Posted 19 May 2008 - 07:34 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We can try disabling a bunch of startup programs to see if it helps...

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

LimeWire - I don't recommend using any file sharing programs as they can help contribute to malware problems

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX5900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIP.EXE /FU "C:\WINDOWS\TEMP\E_S272.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Restart. Any better now?
  • 0

#7
mattsat
Posted 20 May 2008 - 02:12 AM

mattsat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
there is no limewire program to be checked in hijackthis maybe because i uninstalled it
it is running ok any ideas to speed it up?

aslo i just ran a scan in avg and came up up with 2 adwares
hklm/software/internet explorer/activex compatibility/{oedc6c20-a31c-11db-8ab9-0800200c9a66} that was the file

Edited by mattsat, 20 May 2008 - 02:32 AM.

  • 0

#8
greyknight17
Posted 20 May 2008 - 07:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did AVG remove the two adware entries found?

If you fixed those entries in HijackThis and restarted the computer with no improvement, there might be other reasons for the slowdown (may or may not be malware related). We can try running the following scan to see if it finds anything.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
  • 0

#9
mattsat
Posted 21 May 2008 - 12:41 AM

mattsat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
i dont know how to remove entries through avg i only have the free version

and the the pandascan doesnt work
if this all u can do im happy thanks for your time
  • 0

#10
greyknight17
Posted 21 May 2008 - 06:59 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
AVG Free Edition should allow you to remove them. You can check the AVG Virus Vault to confirm that those two adwares were deleted yesterday. You can always check AVG for any updates and then run a full scan to see if it finds anything else.

What's the problem with Panda?
  • 0

#11
greyknight17
Posted 26 May 2008 - 06:25 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP