Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Explorer keeps closing [CLOSED]

Started by baston , Jul 20 2008 11:20 PM

  • This topic is locked This topic is locked

#1
baston
Posted 20 July 2008 - 11:20 PM

baston

    New Member

  • Member
  • Pip
  • 4 posts
Protection:
McAfee Viruscan Enterprise Workstation 8.5.0.781
McAfee AntiSpyware Enterprise Module - 8.5.0.163

Though they say vundo and boaxx were deleted successfully, windows explorer keeps closing after 20 seconds.

I don't know exactly but sometimes i experience this after i plug "Maxtor One Touch III USB HD 60Gb"

Thanks for the help

Good Day


Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:37 AM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$TESTCK\Binn\sqlservr.exe
C:\Program Files\Eltima Software\SEC\sec_service.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\PROGRA~1\COMMON~1\Ahead\Lib\NMBGMO~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RDS\PLDlnk.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ibmsrv:8080
O1 - Hosts: 69.57.152.127 auto.search.msn.com
O1 - Hosts: 69.57.152.127 auto.search.msn.es
O1 - Hosts: 69.57.152.127 pagead2.googlesyndication.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CF5D165-517E-48B6-B3C7-3054A24F8BF6} - C:\WINDOWS\system32\yayAstRI.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {95048BCB-DFE0-445D-8DAA-D2D4F73921BA} - C:\WINDOWS\system32\iifeEtRI.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B21A2938-6F3D-42CC-9E00-9ACD78141CCc} - C:\WINDOWS\system32\ofyrdkru.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [BMd3b7dbed] Rundll32.exe "C:\WINDOWS\system32\hcrcphov.dll",s
O4 - HKLM\..\Run: [d084e871] rundll32.exe "C:\WINDOWS\system32\ixlnigqj.dll",b
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\PROGRA~1\COMMON~1\Ahead\Lib\NMBGMO~1.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Auto Document Link.lnk = C:\Program Files\RDS\PLDlnk.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gexim.local
O17 - HKLM\Software\..\Telephony: DomainName = gexim.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gexim.local
O20 - Winlogon Notify: ljjkhij - ljjkhij.dll (file missing)
O20 - Winlogon Notify: winadr32 - C:\WINDOWS\SYSTEM32\winadr32.dll
O20 - Winlogon Notify: yayAstRI - C:\WINDOWS\SYSTEM32\yayAstRI.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Eltima Serial To Ethernet Connector Service (sec_service) - Unknown owner - C:\Program Files\Eltima Software\SEC\sec_service.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 10596 bytes
  • 0

Advertisements

#2
fenzodahl512
Posted 21 July 2008 - 05:32 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..


Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




NEXT


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Regards
fenzodahl512
  • 0

#3
baston
Posted 21 July 2008 - 05:42 AM

baston

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
shame on me ... i'm using Safari...

thanks

think i'll be doing these tomorrow morning.

got loads of works here.
  • 0

#4
fenzodahl512
Posted 21 July 2008 - 06:00 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. don't worry about Safari.. Its a good browser, just run ATF and then proceed with ComboFix step..

Will wait for your log :)
  • 0

#5
baston
Posted 23 July 2008 - 04:39 AM

baston

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thanks again ... had to do it quick ...oops .. hope that not installing the recovery console didn't block anything important..

ComboFix 08-07-22.3 - NicolasB 2008-07-23 14:00:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2787 [GMT 4:00]
Running from: C:\Documents and Settings\NicolasB\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMd3b7dbed.txt
C:\WINDOWS\imglib.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\SNMPAPI.DLL
C:\WINDOWS\sysk32.dll
C:\WINDOWS\system32\amohavgp.dll
C:\WINDOWS\system32\apofswex.ini
C:\WINDOWS\system32\bjixftph.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cfgjbvgy.ini
C:\WINDOWS\system32\cngxhgss.ini
C:\WINDOWS\system32\cnunapxh.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\edeyvdxe.ini
C:\WINDOWS\system32\ekpyxuph.ini
C:\WINDOWS\system32\faeslmtg.ini
C:\WINDOWS\system32\fcopgqxx.ini
C:\WINDOWS\system32\fotkpqrj.ini
C:\WINDOWS\system32\fqkqyuhj.ini
C:\WINDOWS\system32\frbrjmdw.dll
C:\WINDOWS\system32\fttxxxoh.ini
C:\WINDOWS\system32\fudnmfny.ini
C:\WINDOWS\system32\fygnyvlc.dll
C:\WINDOWS\system32\gaavhkut.ini
C:\WINDOWS\system32\gguuuosn.ini
C:\WINDOWS\system32\ginxwdya.dll
C:\WINDOWS\system32\glbqmbnm.dll
C:\WINDOWS\system32\gmhunwdc.ini
C:\WINDOWS\system32\gpntiadc.ini
C:\WINDOWS\system32\hldfpveu.ini
C:\WINDOWS\system32\hvtotcnh.dll
C:\WINDOWS\system32\iacqfpsg.ini
C:\WINDOWS\system32\ihoepicd.ini
C:\WINDOWS\system32\iojvicin.dll
C:\WINDOWS\system32\iowwleyv.ini
C:\WINDOWS\system32\IRtEefii.ini
C:\WINDOWS\system32\IRtEefii.ini2
C:\WINDOWS\system32\jfmfxycf.ini
C:\WINDOWS\system32\jhsxfjfc.ini
C:\WINDOWS\system32\jqginlxi.ini
C:\WINDOWS\system32\jxalbubq.ini
C:\WINDOWS\system32\lbgsomcf.ini
C:\WINDOWS\system32\lhngvext.ini
C:\WINDOWS\system32\lnudlqxg.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgmpqycs.ini
C:\WINDOWS\system32\mmgoxbnr.ini
C:\WINDOWS\system32\nmjxsxkk.dll
C:\WINDOWS\system32\nsqqeiwr.dll
C:\WINDOWS\system32\ofyrdkru.dll
C:\WINDOWS\system32\opajktem.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pkrnljin.ini
C:\WINDOWS\system32\pttmhtmp.ini
C:\WINDOWS\system32\rhukaubt.ini
C:\WINDOWS\system32\rjgwtmlw.ini
C:\WINDOWS\system32\rxdofppv.ini
C:\WINDOWS\system32\sxafpqsr.dll
C:\WINDOWS\system32\tnfmdokv.ini
C:\WINDOWS\system32\trkxgvbb.ini
C:\WINDOWS\system32\uckrtcak.dll
C:\WINDOWS\system32\usjwcrdn.ini
C:\WINDOWS\system32\uyfxlnuf.ini
C:\WINDOWS\system32\vbwbebgf.ini
C:\WINDOWS\system32\vdsrehgb.ini
C:\WINDOWS\system32\vgtvbjck.ini
C:\WINDOWS\system32\vjeriydi.ini
C:\WINDOWS\system32\vsplbtxx.ini
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wejfoimq.ini
C:\WINDOWS\system32\wgoexuvi.ini
C:\WINDOWS\system32\winadr32.dll
C:\WINDOWS\system32\wivajmtu.dll
C:\WINDOWS\system32\wjloatel.ini
C:\WINDOWS\system32\wnrbrais.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xtatqlgr.ini
C:\WINDOWS\system32\xxtblpsv.dll
C:\WINDOWS\system32\xyjekcky.ini
C:\WINDOWS\system32\ybvbpsix.ini
C:\WINDOWS\system32\ycrvwrvk.ini
C:\WINDOWS\system32\yniiuplu.ini
C:\WINDOWS\system32\ypjteggi.dll
C:\WINDOWS\system32\yqrabfhp.ini
C:\WINDOWS\system32\ytsbgynr.ini
C:\WINDOWS\system32\ytufvkkk.dll
C:\WINDOWS\system32\ytwffoda.dll
C:\WINDOWS\system32\yynamnyp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-21 08:11 . 2008-07-21 08:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 11:57 . 2008-07-15 11:57 <DIR> d-------- C:\Program Files\Serif
2008-07-15 11:57 . 1993-11-24 08:38 21,008 --a------ C:\WINDOWS\system32\Ctl3d.dll
2008-07-08 13:45 . 2008-07-08 13:45 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-08 11:49 . 2008-07-08 14:07 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-08 11:43 . 2008-07-08 11:43 <DIR> d-------- C:\Program Files\Autodesk
2008-07-08 10:59 . 2008-07-08 10:59 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-08 10:59 . 2008-07-08 10:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-08 10:59 . 2008-07-08 10:59 <DIR> d-------- C:\Program Files\MSBuild
2008-07-08 10:58 . 2008-07-08 10:58 <DIR> d-------- C:\spoolerlogs
2008-07-08 10:57 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-07-08 10:52 . 2008-07-08 10:52 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-04 16:34 . 2008-07-08 11:28 <DIR> d-------- C:\Program Files\PowerISO
2008-07-04 11:11 . 2008-07-04 11:11 <DIR> d-------- C:\Program Files\CDBurnerXP Pro 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 06:39 --------- d-----w C:\Program Files\FreeCommander
2008-07-21 05:06 --------- d-----w C:\Program Files\Map Maker
2008-07-18 10:18 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-10 03:56 --------- d-----w C:\Documents and Settings\NicolasB\Application Data\TransRender
2008-07-08 10:45 --------- d-----w C:\Program Files\M-Color
2008-07-08 09:58 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-08 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-03 04:52 --------- d-----w C:\Documents and Settings\NicolasB\Application Data\SmartDraw
2008-06-23 10:43 --------- d-----w C:\Program Files\Safari
2008-06-19 05:01 --------- d-----w C:\Program Files\progeSOFT
2008-06-05 06:41 --------- d-----w C:\Documents and Settings\NicolasB\Application Data\U3
2008-06-02 11:11 --------- d-----w C:\Program Files\iTunes
2008-06-02 11:11 --------- d-----w C:\Program Files\iPod
2008-06-02 11:08 --------- d-----w C:\Program Files\QuickTime
2008-06-02 11:03 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-27 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 07:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-27 07:10 --------- d-----w C:\Documents and Settings\NicolasB\Application Data\AdobeUM
2008-05-26 13:03 --------- d-----w C:\Documents and Settings\NicolasB\Application Data\Temporary
2008-05-26 12:19 --------- d-----w C:\Program Files\Outlook Web Access Administration
2008-04-30 12:30 3,774,261 ----a-w C:\WINDOWS\FramePkg.exe
2007-08-07 04:14 98 -c-h--w C:\Documents and Settings\All Users\Application Data\emopts.dat
2002-09-11 14:26 63,730 -c--a-w C:\Program Files\viewsonicinstruct_xp.pdf
2002-08-15 16:54 3,198,976 -c--a-w C:\Program Files\ViewSonicregistration.exe
.

------- Sigcheck -------

2004-09-01 05:00 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E34C582F-BC9C-4D30-BE20-3E8BE5BF2679}]
2008-06-13 09:46 322560 --a------ C:\WINDOWS\system32\iifeEtRI.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34 128000]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\PROGRA~1\COMMON~1\Ahead\Lib\NMBGMO~1.EXE" [2006-03-02 04:43 90112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 05:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-04-28 11:47 86016]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06 136768]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2004-03-18 16:47 151552]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 04:09 40960]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 01:48 479232]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 20:50 112216]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [2005-10-16 05:15 167936]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 09:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2006-04-28 11:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-09-01 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-08-14 12:58:20 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-30 22:36:38 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Auto Document Link.lnk - C:\Program Files\RDS\PLDlnk.exe [2007-12-30 09:55:25 409600]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-09-23 09:27:21 10872]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\RDS\\PLDlnk.exe"=
"C:\\Program Files\\RDS\\RView.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\@Last Software\\SketchUp 5\\SketchUp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58122:TCP"= 58122:TCP:Pando P2P TCP Listening Port
"58122:UDP"= 58122:UDP:Pando P2P UDP Listening Port
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 13:38]
R2 CachemanXPService;CachemanXP;C:\Program Files\CachemanXP\CachemanXP.exe [2006-03-22 02:36]
R2 MSSQL$TESTCK;MSSQL$TESTCK;C:\Program Files\Microsoft SQL Server\MSSQL$TESTCK\Binn\sqlservr.exe [2002-12-17 17:26]
R2 sec_service;Eltima Serial To Ethernet Connector Service;C:\Program Files\Eltima Software\SEC\sec_service.exe [2007-08-22 23:47]
R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);C:\WINDOWS\system32\DRIVERS\evserial.sys [2007-06-07 15:28]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);C:\WINDOWS\system32\DRIVERS\evsbc.sys [2007-06-07 15:28]
S3 SQLAgent$TESTCK;SQLAgent$TESTCK;C:\Program Files\Microsoft SQL Server\MSSQL$TESTCK\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18083006-bce4-11dc-bb06-00138fa0cbd6}]
\Shell\AutoRun\command - H:\oufddh.exe
\Shell\explore\Command - H:\oufddh.exe
\Shell\open\Command - H:\oufddh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7003f4de-473f-11dd-8f18-00138fa0cbd6}]
\Shell\AutoRun\command - I:\1nkbd8h.bat
\Shell\explore\Command - I:\1nkbd8h.bat
\Shell\open\Command - I:\1nkbd8h.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ece4c0-f67a-11dc-be93-00138fa0cbd6}]
\Shell\AutoRun\command - I:\un9.cmd
\Shell\explore\Command - I:\un9.cmd
\Shell\open\Command - I:\un9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ece4c7-f67a-11dc-be93-00138fa0cbd6}]
\Shell\AutoRun\command - H:\1weicxa.com
\Shell\explore\Command - H:\1weicxa.com
\Shell\open\Command - H:\1weicxa.com
.
Contents of the 'Scheduled Tasks' folder
"2008-07-21 10:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-d084e871 - C:\WINDOWS\system32\xxtblpsv.dll
HKLM-Run-BMd3b7dbed - C:\WINDOWS\system32\wivajmtu.dll
Notify-ljjkhij - ljjkhij.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = google.net-studio.org
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Settings,ProxyServer = ibmsrv:8080
R1 -: HKCU-Internet Settings,ProxyOverride = <local>;*.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 14:14:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-23 14:23:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-23 10:23:52

Pre-Run: 9,048,772,608 bytes free
Post-Run: 8,617,873,408 bytes free

291

Edited by baston, 23 July 2008 - 04:42 AM.

  • 0

#6
baston
Posted 23 July 2008 - 04:43 AM

baston

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:15 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$TESTCK\Binn\sqlservr.exe
C:\Program Files\Eltima Software\SEC\sec_service.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\PROGRA~1\COMMON~1\Ahead\Lib\NMBGMO~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RDS\PLDlnk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ibmsrv:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E34C582F-BC9C-4D30-BE20-3E8BE5BF2679} - C:\WINDOWS\system32\iifeEtRI.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\PROGRA~1\COMMON~1\Ahead\Lib\NMBGMO~1.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Auto Document Link.lnk = C:\Program Files\RDS\PLDlnk.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gexim.local
O17 - HKLM\Software\..\Telephony: DomainName = gexim.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gexim.local
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Eltima Serial To Ethernet Connector Service (sec_service) - Unknown owner - C:\Program Files\Eltima Software\SEC\sec_service.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9967 bytes
  • 0

#7
fenzodahl512
Posted 23 July 2008 - 06:44 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\iifeEtRI.dll
H:\oufddh.exe
I:\1nkbd8h.bat
I:\un9.cmd
H:\1weicxa.com

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E34C582F-BC9C-4D30-BE20-3E8BE5BF2679}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18083006-bce4-11dc-bb06-00138fa0cbd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7003f4de-473f-11dd-8f18-00138fa0cbd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ece4c0-f67a-11dc-be93-00138fa0cbd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ece4c7-f67a-11dc-be93-00138fa0cbd6}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#8
fenzodahl512
Posted 29 July 2008 - 04:58 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP