Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

seeking help for something bad -

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

seeking help for something bad -

Unread postby absolutjer » June 3rd, 2008, 8:44 pm

I seem to have picked up a nasty. I have spent 3 days trying to figure it out to no avail.

In exploror or firefox when I view source on any webpage I happen to be on I see a bunch of extra code this thing is adding. I have not posted that yet as per the forum rules so please let me know if you want to see that.

I can tell you that it creates popups, will not let me browse most sites including his one, (i am on an alternate pc now) it also replaces google adsense ads with its own ads that seem to point to http://85.12.43.83

I am posting my hijack this log please let me know if you wish to see the code this is adding in the source of any pages I visit.

Thank you so much in advance for helping me sort this out.

Regards,
Jeremy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:57 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Jeremy\Desktop\HiJackThis.exe
C:\Program Files\Ipswitch\WS_FTP Professional\wsftpgui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: 12Ghosts Toolbar - {00000000-000a-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12toolbar.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: {6740ff79-af60-2f69-9654-e40c0f9eb741} - {147be9f0-c04e-4569-96f2-06fa97ff0476} - C:\WINDOWS\system32\bqmhqxgw.dll
O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O2 - BHO: (no name) - {3CCCDA83-4EEC-4E0E-9236-03B9DC263452} - C:\WINDOWS\system32\efcCTkjg.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5545f7a9-1ac5-4379-8bd0-48be66224ace} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {73D69CA2-548D-47A4-BCB0-D37CDED94BF1} - C:\WINDOWS\system32\opnklmKe.dll (file missing)
O2 - BHO: (no name) - {74F0B537-6F4A-4FCC-8E05-030527233A4F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {87862E26-BDA0-4A78-B94C-86BCB9428A6F} - C:\WINDOWS\system32\mlJAqnLD.dll (file missing)
O2 - BHO: (no name) - {9935F045-42D4-42AA-96CC-AF76DC1BA691} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {D42BD2EB-E7AF-4A54-9820-5AC78C91E7F0} - C:\WINDOWS\system32\pmnmmLFY.dll (file missing)
O3 - Toolbar: ToolbarBrowser - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: 12-Toolbar - {00000000-000b-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12toolbar.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [BM4f5447e9] Rundll32.exe "C:\WINDOWS\system32\xdckcmrh.dll",s
O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Startup: EzPhone Recorder 1.1.lnk = C:\Program Files\EzPhone Recorder 1.1\ezfonrec.exe
O4 - Startup: My Personal Assistant.lnk = C:\Program Files\My Personal Assistant\mpa.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Clear Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O8 - Extra context menu item: Reset Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComResetFields.html
O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 - Extra context menu item: RoboForm TaskBar Icon - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Safenotes Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Set Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Generate - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O9 - Extra 'Tools' menuitem: Password Generator - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O9 - Extra button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra 'Tools' menuitem: RoboForm TaskBar Icon - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Reset Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F53} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComResetFields.html
O9 - Extra 'Tools' menuitem: Reset Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F53} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComResetFields.html
O9 - Extra button: Clear Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O9 - Extra 'Tools' menuitem: Clear Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Safenotes - {45DB34C3-955C-11D3-ABEF-444553540002} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O9 - Extra 'Tools' menuitem: Safenotes Editor - {45DB34C3-955C-11D3-ABEF-444553540002} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (Sony SNC-RZ30 Image Viewer) - http://193.251.78.60/home/SonySncRz30View.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://71.157.145.90:8222/activex/AMC.cab
O16 - DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} (SonySncMView Control) - http://87.250.122.182:5555/SonySncMView.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - http://service.ringcentral.com/ActiveX/RCAXSetup.cab
O16 - DPF: {FA478DB9-803F-4154-9DDB-765EA9E35333} (Sony SNC-P1 Control) - http://80.224.34.246:2346/program/SonySncP1View.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: mlJAqnLD - mlJAqnLD.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (http://www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 22607 bytes
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm
Advertisement
Register to Remove

Re: seeking help for something bad -

Unread postby dan12 » June 4th, 2008, 1:31 am

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: seeking help for something bad -

Unread postby dan12 » June 4th, 2008, 1:32 am

Highjackthis.exe needs a permanant folder of it's own in order to create backups
Create a folder on the desktop, right click on the desktop, select new folder,and name it HJT Now locate < path location >
copy and paste it into the new folder ( HJT ) you created on the desktop.
Do this before you continue.

________________


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: seeking help for something bad -

Unread postby absolutjer » June 4th, 2008, 2:19 pm

Hi Dan-

Thank you very much for your help. I have followed all of the steps you outlined.

After Combofix finished running the computer automatically restarted. Once it restarted the desktop never reappeared. I can see my desktop background but nothing else.

I did a ctrl/alt/del to check out the taskmanager. I see explorer is not running.

I am wondering if combofix is still doing it's thing and I should wait or if I should restart
with taskmanager.

The visual signs of Combofix finished up almost 10 hours ago and only took about 45 minutes when it was running and did appear to complete all of the steps as per the manual aside from telling me it had saved the log.

Thank you-
Jeremy
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm

Re: seeking help for something bad -

Unread postby dan12 » June 4th, 2008, 2:35 pm

Hi, can you look here C:\ComboFix.txt for me to see if the log is there.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: seeking help for something bad -

Unread postby absolutjer » June 4th, 2008, 2:59 pm

I searched for C:\ComboFix.txt in the taskmanager by going to file and then new task and it is not finding it.
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm

Re: seeking help for something bad -

Unread postby dan12 » June 4th, 2008, 3:13 pm

You won't find it there, go to your c: directory and it will be there

Right click start, explore, click on local disc C: and in the right hand pane you can look at the content of C:
when found post me the report.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: seeking help for something bad -

Unread postby absolutjer » June 4th, 2008, 4:11 pm

Sorry maybe I was not clear above. I currently have no start button to right click on. All I am seeing is my background image. Nothing came back except the background image after Cobmofix restarted my PC. I checked in Taskmanager and explorer is not running- I just went ahead and started explorer.exe in the task manager.

The ComboFix box just popped up and now says preparing log report- I will post that in a few minutes as soon as it finishes.

Hopefully I was on in starting explorer.exe? I was assuming that is what I was going to need to do but was not sure.
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm

Re: seeking help for something bad -

Unread postby absolutjer » June 4th, 2008, 4:14 pm

shoot- likely I made a mistake in starting explorer sorry ;-) I now see combofix says do not start any programs while it is preparing the report but my normal startup programs seem to have started.

ComboFix did not start back up until I started explorer to be able to see the start button.. hopefully I am ok here I will post the log asap
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm

Re: seeking help for something bad -

Unread postby absolutjer » June 4th, 2008, 4:23 pm

ComboFix 08-06-03.1 - Jeremy 2008-06-04 0:03:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2439 [GMT -7:00]
Running from: C:\Documents and Settings\Jeremy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeremy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\setup.exe
C:\WINDOWS\BM4f5447e9.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bqmhqxgw.dll
C:\WINDOWS\system32\brjywduj.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\chrbngcd.dll
C:\WINDOWS\system32\cloqftmb.dll
C:\WINDOWS\system32\deujujyc.dll
C:\WINDOWS\system32\deyquewu.ini
C:\WINDOWS\system32\eKmlknpo.ini
C:\WINDOWS\system32\eKmlknpo.ini2
C:\WINDOWS\system32\euleamxc.dll
C:\WINDOWS\system32\fxqyluqy.ini
C:\WINDOWS\system32\gjkTCcfe.ini
C:\WINDOWS\system32\gjkTCcfe.ini2
C:\WINDOWS\system32\judwyjrb.dll
C:\WINDOWS\system32\jvwmjysr.dll
C:\WINDOWS\system32\lxpqurnl.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nuyoavcx.dll
C:\WINDOWS\system32\opnvklys.ini
C:\WINDOWS\system32\phsicsud.ini
C:\WINDOWS\system32\uweuqyed.dll
C:\WINDOWS\system32\wbwtevqf.ini
C:\WINDOWS\system32\wqfxdebh.dll
C:\WINDOWS\system32\xdckcmrh.dll
C:\WINDOWS\system32\YFLmmnmp.ini
C:\WINDOWS\system32\YFLmmnmp.ini2
C:\WINDOWS\system32\yqulyqxf.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-04 03:04 . 2008-06-04 03:04 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-04 01:25 . 2008-06-04 01:25 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-03 17:18 . 2008-06-03 17:18 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\TrojanHunter
2008-06-03 00:06 . 2008-06-03 00:06 <DIR> d-------- C:\VundoFix Backups
2008-06-02 23:46 . 2008-06-02 23:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 23:46 . 2008-06-02 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 22:05 . 2008-06-01 22:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-01 22:05 . 2008-06-01 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-01 14:19 . 2008-06-01 14:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 14:19 . 2008-06-01 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 14:10 . 2008-06-01 14:11 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-06-01 14:02 . 2008-06-01 14:10 <DIR> d-------- C:\Program Files\TrojanHunter 4.0
2008-05-30 22:20 . 2008-05-30 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-05-30 22:09 . 2008-05-30 22:09 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-30 22:05 . 2008-05-30 22:05 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-30 22:04 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-30 21:59 . 2008-05-30 21:59 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Sony Setup
2008-05-29 17:41 . 2008-05-29 17:41 <DIR> d-------- C:\Program Files\Citrix
2008-05-29 17:40 . 2008-05-29 17:40 56,912 --a------ C:\Documents and Settings\Jeremy\g2mdlhlpx.exe
2008-05-27 22:59 . 2008-05-31 00:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 22:59 . 2008-05-27 22:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-24 09:19 . 2008-05-24 09:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-21 10:50 . 2008-05-21 10:50 <DIR> d-------- C:\Program Files\LIUtilities
2008-05-21 10:50 . 2008-05-21 10:50 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Uniblue
2008-05-21 10:49 . 2008-05-21 10:49 <DIR> d-------- C:\Program Files\Uniblue
2008-05-17 13:25 . 2008-05-17 13:25 <DIR> d-------- C:\Program Files\7-Zip
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-12 17:40 . 2008-05-12 17:40 <DIR> d-------- C:\Program Files\SetupStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-04 17:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-04 08:22 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-04 08:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-03 04:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 22:23 --------- d-----w C:\Program Files\Norton SystemWorks
2008-06-02 20:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-02 20:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-02 20:46 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-02 20:46 --------- d-----w C:\Program Files\Symantec
2008-05-31 06:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 05:20 --------- d-----w C:\Program Files\VSTplugins
2008-05-31 05:18 --------- d-----w C:\Program Files\Sony
2008-05-31 05:13 --------- d-----w C:\Program Files\MSBuild
2008-05-31 04:59 --------- d-----w C:\Program Files\Sony Setup
2008-05-11 05:51 --------- d-----w C:\Program Files\Desktop Member Manager
2008-05-04 16:47 --------- d-----w C:\Program Files\Java
2008-05-04 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 15:41 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-04-26 04:59 --------- d-----w C:\Program Files\Trillian
2008-04-23 21:37 --------- d-----w C:\Program Files\ecover
2008-04-10 19:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-10 06:28 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\GlobalSCAPE
2008-04-10 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-10 06:22 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\SmartFTP
2008-04-10 06:21 --------- d-----w C:\Program Files\SmartFTP Client
2008-04-09 07:42 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Move Networks
2008-04-07 00:14 --------- d-----w C:\Program Files\HTML Password Lock
2008-04-05 16:57 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\vlc
2008-04-05 16:53 --------- d-----w C:\Program Files\VideoLAN
2007-08-07 00:00 3,433 ----a-w C:\Documents and Settings\Jeremy\Application Data\SAS7_000.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{147be9f0-c04e-4569-96f2-06fa97ff0476}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CCCDA83-4EEC-4E0E-9236-03B9DC263452}]
C:\WINDOWS\system32\efcCTkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5545f7a9-1ac5-4379-8bd0-48be66224ace}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-30 22:55 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73D69CA2-548D-47A4-BCB0-D37CDED94BF1}]
C:\WINDOWS\system32\opnklmKe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74F0B537-6F4A-4FCC-8E05-030527233A4F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87862E26-BDA0-4A78-B94C-86BCB9428A6F}]
C:\WINDOWS\system32\mlJAqnLD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9935F045-42D4-42AA-96CC-AF76DC1BA691}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42BD2EB-E7AF-4A54-9820-5AC78C91E7F0}]
C:\WINDOWS\system32\pmnmmLFY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCUI"="C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe" [2007-08-29 15:46 386496]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-15 21:03 160592]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 21:22 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"RCHotKey"="C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2007-08-23 15:39 24512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"BM4f5447e9"="C:\WINDOWS\system32\xdckcmrh.dll" [ ]

C:\Documents and Settings\Jeremy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Dragon NaturallySpeaking.lnk - C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2006-06-28 05:11:56 2297856]
EzPhone Recorder 1.1.lnk - C:\Program Files\EzPhone Recorder 1.1\ezfonrec.exe [2006-01-21 19:47:40 569344]
My Personal Assistant.lnk - C:\Program Files\My Personal Assistant\mpa.exe [2007-10-02 16:34:21 578048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-08-29 12:03:13 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{87862E26-BDA0-4A78-B94C-86BCB9428A6F}"= C:\WINDOWS\system32\mlJAqnLD.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqnLD]
mlJAqnLD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Pure Networks\\Network Magic\\WebServer\\bin\\nmraapache.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 01:53]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 23:10]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 23:10]
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\SETUP.EXE
\Shell\configure\command - C:\SETUP.EXE
\Shell\install\command - C:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cad026c-ec94-11dc-b62f-00123f6c036b}]
\Shell\AutoRun\command - K:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - K:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dd15188-19d9-11dc-b5c6-005056c00008}]
\Shell\AutoRun\command - J:\.\MigWiz\migsetup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 23:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-02 18:28:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Jeremy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 13:09:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\PRISMSVR.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-04 13:18:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 20:17:49

Pre-Run: 708,525,494,272 bytes free
Post-Run: 712,141,402,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

293 --- E O F --- 2008-06-04 10:04:41
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm

Re: seeking help for something bad -

Unread postby dan12 » June 4th, 2008, 6:10 pm

Well done! you got there in the end.
I will go through your returned log and it will be tomorrow now, when I get back to you as it's late here.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: seeking help for something bad -

Unread postby absolutjer » June 5th, 2008, 5:01 am

Thanks much!
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm

Re: seeking help for something bad -

Unread postby dan12 » June 5th, 2008, 3:25 pm

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\efcCTkjg.dll
C:\WINDOWS\system32\opnklmKe.dll
C:\WINDOWS\system32\mlJAqnLD.dll
C:\WINDOWS\system32\pmnmmLFY.dll
C:\WINDOWS\system32\xdckcmrh.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{147be9f0-c04e-4569-96f2-06fa97ff0476}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CCCDA83-4EEC-4E0E-9236-03B9DC263452}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5545f7a9-1ac5-4379-8bd0-48be66224ace}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73D69CA2-548D-47A4-BCB0-D37CDED94BF1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74F0B537-6F4A-4FCC-8E05-030527233A4F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87862E26-BDA0-4A78-B94C-86BCB9428A6F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9935F045-42D4-42AA-96CC-AF76DC1BA691}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42BD2EB-E7AF-4A54-9820-5AC78C91E7F0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM4f5447e9"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{87862E26-BDA0-4A78-B94C-86BCB9428A6F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqnLD]


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Please post above reports
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: seeking help for something bad -

Unread postby absolutjer » June 5th, 2008, 9:46 pm

Thank Dan-

Here are the latest reports!

ComboFix 08-06-03.1 - Jeremy 2008-06-05 17:14:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2561 [GMT -7:00]
Running from: C:\Documents and Settings\Jeremy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeremy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\efcCTkjg.dll
C:\WINDOWS\system32\mlJAqnLD.dll
C:\WINDOWS\system32\opnklmKe.dll
C:\WINDOWS\system32\pmnmmLFY.dll
C:\WINDOWS\system32\xdckcmrh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jeremy\g2mdlhlpx.exe
C:\VundoFix Backups
C:\WINDOWS\system32\_000006_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-04 03:04 . 2008-06-04 03:04 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-03 17:18 . 2008-06-03 17:18 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\TrojanHunter
2008-06-02 23:46 . 2008-06-02 23:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 23:46 . 2008-06-02 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 22:05 . 2008-06-01 22:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-01 22:05 . 2008-06-01 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-01 14:19 . 2008-06-01 14:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 14:19 . 2008-06-01 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 14:10 . 2008-06-01 14:11 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-06-01 14:02 . 2008-06-01 14:10 <DIR> d-------- C:\Program Files\TrojanHunter 4.0
2008-05-30 22:20 . 2008-05-30 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-05-30 22:09 . 2008-05-30 22:09 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-30 22:05 . 2008-05-30 22:05 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-30 22:04 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-30 21:59 . 2008-05-30 21:59 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Sony Setup
2008-05-29 17:41 . 2008-05-29 17:41 <DIR> d-------- C:\Program Files\Citrix
2008-05-27 22:59 . 2008-05-31 00:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 22:59 . 2008-05-27 22:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-24 09:19 . 2008-05-24 09:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-21 10:50 . 2008-05-21 10:50 <DIR> d-------- C:\Program Files\LIUtilities
2008-05-21 10:50 . 2008-05-21 10:50 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Uniblue
2008-05-21 10:49 . 2008-05-21 10:49 <DIR> d-------- C:\Program Files\Uniblue
2008-05-17 13:25 . 2008-05-17 13:25 <DIR> d-------- C:\Program Files\7-Zip
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-12 17:40 . 2008-05-12 17:40 <DIR> d-------- C:\Program Files\SetupStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 00:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-05 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-05 01:44 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-05 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-03 04:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 22:23 --------- d-----w C:\Program Files\Norton SystemWorks
2008-06-02 20:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-02 20:46 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-02 20:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-02 20:46 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-02 20:46 --------- d-----w C:\Program Files\Symantec
2008-05-31 06:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 05:20 --------- d-----w C:\Program Files\VSTplugins
2008-05-31 05:18 --------- d-----w C:\Program Files\Sony
2008-05-31 05:13 --------- d-----w C:\Program Files\MSBuild
2008-05-31 04:59 --------- d-----w C:\Program Files\Sony Setup
2008-05-11 05:51 --------- d-----w C:\Program Files\Desktop Member Manager
2008-05-04 16:47 --------- d-----w C:\Program Files\Java
2008-05-04 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 15:41 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-04-26 04:59 --------- d-----w C:\Program Files\Trillian
2008-04-23 21:37 --------- d-----w C:\Program Files\ecover
2008-04-10 19:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-10 06:28 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\GlobalSCAPE
2008-04-10 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-10 06:22 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\SmartFTP
2008-04-10 06:21 --------- d-----w C:\Program Files\SmartFTP Client
2008-04-09 07:42 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Move Networks
2008-04-07 00:14 --------- d-----w C:\Program Files\HTML Password Lock
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2007-08-07 00:00 3,433 ----a-w C:\Documents and Settings\Jeremy\Application Data\SAS7_000.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-04_13.17.10.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 08:21:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 01:43:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 01:44:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-30 22:55 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73D69CA2-548D-47A4-BCB0-D37CDED94BF1}]
C:\WINDOWS\system32\opnklmKe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCUI"="C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe" [2007-08-29 15:46 386496]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-15 21:03 160592]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 21:22 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"RCHotKey"="C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2007-08-23 15:39 24512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]

C:\Documents and Settings\Jeremy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Dragon NaturallySpeaking.lnk - C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2006-06-28 05:11:56 2297856]
EzPhone Recorder 1.1.lnk - C:\Program Files\EzPhone Recorder 1.1\ezfonrec.exe [2006-01-21 19:47:40 569344]
My Personal Assistant.lnk - C:\Program Files\My Personal Assistant\mpa.exe [2007-10-02 16:34:21 578048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-08-29 12:03:13 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 01:53]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 23:10]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 23:10]
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\SETUP.EXE
\Shell\configure\command - C:\SETUP.EXE
\Shell\install\command - C:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cad026c-ec94-11dc-b62f-00123f6c036b}]
\Shell\AutoRun\command - K:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - K:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dd15188-19d9-11dc-b5c6-005056c00008}]
\Shell\AutoRun\command - J:\.\MigWiz\migsetup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 23:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-02 18:28:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Jeremy.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 17:25:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-05 17:32:38
ComboFix-quarantined-files.txt 2008-06-06 00:32:15
ComboFix2.txt 2008-06-04 20:18:08

Pre-Run: 711,299,133,440 bytes free
Post-Run: 711,046,885,376 bytes free

223 --- E O F --- 2008-06-04 10:04:41
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm

Re: seeking help for something bad -

Unread postby absolutjer » June 5th, 2008, 9:46 pm

Malwarebytes' Anti-Malware 1.15
Database version: 833

6:44:39 PM 6/5/2008
mbam-log-6-5-2008 (18-44-39).txt

Scan type: Quick Scan
Objects scanned: 43090
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
absolutjer
Active Member
 
Posts: 10
Joined: June 3rd, 2008, 8:29 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware