Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected with CPMSKY.BIZ

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 2nd, 2008, 10:29 pm

Hope you guys can help. I have been infected with an advertising popup from CPMSKY.BIZ constantly coming up on my machine. I have tried SPYBOT S&D and AD-AWARE to try and remove it with no luck. Anything you can do to help will be greatly appreciated.
Thanks
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm
Advertisement
Register to Remove

Re: Infected with CPMSKY.BIZ

Unread postby Simon V. » April 5th, 2008, 7:43 am

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Download HJTInstall.exe to your desktop.

  • Doubleclick HJTInstall.exe to install HijackThis.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Please post the contents of that log in your next reply.

Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 5th, 2008, 9:41 am

Here it is, thanks Simon
Glen

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:50 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: adzgalore - {994B5FB4-0103-44A6-B6B3-C73572B362BC} - C:\WINDOWS\system32\nsd364.dll
O2 - BHO: cpmsky.biz browser optimizer - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - C:\WINDOWS\system32\cpmsky.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cpmsky.dll" DllStart
O4 - HKLM\..\RunOnce: [SpybotDeletingC982] cmd /c del "C:\Program Files\SpywareBot\DataBaseNew.ref"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8115] command /c del "C:\Program Files\SpywareBot\DataBaseNew.ref"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9014] cmd /c del "C:\Program Files\SpywareBot\DataBaseNew.ref"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ebiz.pcplace.ca
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50914,1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9766596375
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50803,1
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50923,1
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50928,1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9680 bytes
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby Simon V. » April 5th, 2008, 9:48 am

Hi :)

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.
______________________________

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt).
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 5th, 2008, 6:29 pm

Simon
Here is the combofix log

ComboFix 08-04-04.1 - Glen Meuchel 2008-04-05 16:23:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.517 [GMT -6:00]
Running from: C:\Documents and Settings\Glen Meuchel\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\nsd364.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 15:41 . 2008-04-05 15:41 <DIR> d-------- C:\Program Files\CCleaner
2008-04-05 07:39 . 2008-04-05 07:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 21:10 . 2008-03-31 21:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-31 21:10 . 2008-03-31 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 21:10 . 2008-03-31 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-31 20:04 . 2008-03-31 20:04 102 --a------ C:\WINDOWS\wininit.ini
2008-03-31 19:08 . 2008-03-31 19:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-31 19:08 . 2008-03-31 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 21:06 . 2008-03-29 21:06 84,761 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-03-29 21:05 . 2008-03-29 21:05 80,121 --a------ C:\WINDOWS\system32\adzgalore-remove.exe
2008-03-29 21:05 . 2008-03-29 21:05 40,713 --a------ C:\WINDOWS\system32\cpmsky-uninst.exe
2008-03-27 09:35 . 2008-03-27 09:35 333,824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
2008-03-15 16:09 . 2008-03-31 19:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-15 16:09 . 2008-03-15 16:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-09 13:19 . 2008-03-09 15:55 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-07 07:58 . 2008-03-07 07:58 60,416 --a------ C:\WINDOWS\system32\cpmsky.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 00:32 --------- d-----w C:\Program Files\Norton SystemWorks
2008-03-31 18:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-30 18:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 18:28 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-30 04:06 --------- d-----w C:\Documents and Settings\Glen Meuchel\Application Data\Apple Computer
2008-03-30 02:52 --------- d-----w C:\Documents and Settings\Glen Meuchel\Application Data\LimeWire
2008-03-26 02:41 --------- d-----w C:\Program Files\Microsoft Money
2008-03-26 02:03 --------- d-----w C:\Program Files\QuickTax 2007
2008-03-09 21:22 --------- d-----w C:\Program Files\TAXWIZ 2005
2008-03-09 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 14:18 --------- d-----w C:\Program Files\IntelliGolf
2004-03-11 19:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2005-01-20 03:40:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 58,984 2007-01-09 23:32:02 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 58,728 2008-01-17 17:42:02 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE

----a-w 86,016 2004-04-21 16:26:28 C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\bak\PowerBar.exe

----a-w 270,648 2007-06-28 15:14:42 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 270,648 2007-06-28 15:14:42 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 83,608 2007-03-14 09:43:44 C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe

----a-w 132,248 2004-09-10 02:12:00 C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe
----a-w 132,248 2004-09-10 02:12:00 C:\Program Files\Norton SystemWorks\CfgWiz.exe

----a-w 282,624 2007-04-27 15:41:54 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 100,056 2007-04-15 13:25:35 C:\Program Files\SymNetDrv\bak\SNDMon.exe
----a-w 111,840 2007-10-09 02:06:57 C:\Program Files\SymNetDrv\SNDMon.exe

----a-w 204,288 2006-10-19 02:05:26 C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 09:35 333824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}]
2008-03-07 07:58 60416 --a------ C:\WINDOWS\system32\cpmsky.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 20:12 132248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Protect"="SHVRTF.EXE" [2003-12-02 01:21 1011712 C:\WINDOWS\system32\SHVRTF.EXE]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-08 20:06 111840]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Forget Me Not.lnk - C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe [2005-04-07 22:27:24 323584]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\The Battle for Middle-earth (tm)\\game.dat"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2005-05-19 23:01]
S3 Dz3s2kxp;Dz3s2kxp;C:\WINDOWS\system32\DRIVERS\Dz3s2kxp.sys [2003-01-18 05:31]
S3 Dz3u2kxp;Dz3u2kxp;C:\WINDOWS\system32\DRIVERS\Dz3u2kxp.sys [2003-03-11 02:53]
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-05-19 23:01]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2003-03-17 17:39]

*Newly Created Service* - AAWSERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 04:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-03 00:32:13 C:\WINDOWS\Tasks\Check.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-05 03:14:05 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Glen Meuchel.job"
- C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exeh/task:
"2008-04-01 00:13:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-05 06:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-04-04 22:00:00 C:\WINDOWS\Tasks\{099EC89B-091E-4A32-BAB2-9DCE2B41E32E}_GLEN01_Glen Meuchel.job"
- C:\WINDOWS\system32\mobsync.exeH /Schedule=
"2008-04-04 15:00:00 C:\WINDOWS\Tasks\{15B4CAAA-C596-44E7-8BD3-1581DFC0FEF6}_GLEN01_Glen Meuchel.job"
- C:\WINDOWS\system32\mobsync.exeH /Schedule=
"2008-04-04 22:00:00 C:\WINDOWS\Tasks\{1737F5A7-0C78-42B0-9F49-3F6E9D896A2F}_GLEN01_Glen Meuchel.job"
- C:\WINDOWS\system32\mobsync.exeH /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 16:25:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-05 16:25:40
ComboFix-quarantined-files.txt 2008-04-05 22:25:38
Pre-Run: 58,912,735,232 bytes free
Post-Run: 58,904,117,248 bytes free
.
2008-03-12 09:01:56 --- E O F ---
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 5th, 2008, 6:31 pm

Simon
Here is the CCleaner install.txt file

Ad-Aware 2007
Adobe Reader 7.0
Alexander
American Greetings CreataCard Select 6
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Browser Optimizer Adzgalore
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon Digital Camera USB WIA Driver
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Drivers
Canon MP Toolbox 4.1.1.0.mp10
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
ccCommon
CCleaner (remove only)
Citrix Web Client
Civ3 Conquests v1.22 Full
Civilization III
CutePDF Writer 2.7
DVD Audio Ripper 4
DVD Shrink 3.2
DVD Solution
Enhancement Browser Tools Cpmsky
GraphicView 32
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hoyle Card Games 2007
Hoyle Casino 5
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Worm Protection
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1
LegalSounds Music Downloader 1.4
LimeWire 4.14.10
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer
MovieEdit Task
Mp3tag v2.38
MSRedist
Multimedia Launcher
MySidesearch Search Assistant Adzgalore
Nero OEM
Norton AntiVirus 2005
Norton AntiVirus Parent MSI
Norton SystemWorks
Norton SystemWorks 2005
Norton SystemWorks 2005 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Performance Now
PowerDVD
PowerProducer
QuickTax 2007
QuickTime
RAW Image Task
RealPlayer
RemoteCapture Task
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Serif PhotoPlus 6.0
Simplify Printing Client v3
SoundMAX
SPBBC
Spybot - Search & Destroy
Symantec Network Drivers Update
Symantec Script Blocking Installer
SymNet
TAXWIZ 2005
TAXWIZ 2006
The Battle for Middle-earth (tm)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
URGE
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
Yahoo! Toolbar
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 5th, 2008, 6:33 pm

And here is the new Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:32 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: cpmsky.biz browser optimizer - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - C:\WINDOWS\system32\cpmsky.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cpmsky.dll" DllStart
O4 - HKLM\..\RunOnce: [SpybotDeletingA732] command /c del "C:\Program Files\SpywareBot\DataBaseNew.ref"
O4 - HKLM\..\RunOnce: [SpybotDeletingC982] cmd /c del "C:\Program Files\SpywareBot\DataBaseNew.ref"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD9014] cmd /c del "C:\Program Files\SpywareBot\DataBaseNew.ref"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ebiz.pcplace.ca
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50914,1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9766596375
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50803,1
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50923,1
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50928,1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9812 bytes
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby Simon V. » April 6th, 2008, 3:45 am

Hi :)

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

LimeWire 4.14.10

Also remove the following programs -

Browser Optimizer Adzgalore
Enhancement Browser Tools Cpmsky
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1
MySidesearch Search Assistant Adzgalore


Then download and install Java Runtime Environment (JRE) 6 Update 5.
______________________________

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
KillAll::

File::

C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\cpmsky.dll

Folder::

C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\iTunes\bak
C:\Program Files\Norton SystemWorks\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SymNetDrv\bak

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}]

AWF::

C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\bak\PowerBar.exe
C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.
______________________________

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.
______________________________

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware log
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Infected with CPMSKY.BIZ

Unread postby Simon V. » April 9th, 2008, 2:58 pm

Are you still with me?
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 10th, 2008, 11:36 pm

Sorry I was out of town this week, thanks for sticking with me.
Thanks for info on PSP, did not use often but obviously too often anyway.

Here is the combo fix log

ComboFix 08-04-04.1 - Glen Meuchel 2008-04-10 21:09:40.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.678 [GMT -6:00]
Running from: C:\Documents and Settings\Glen Meuchel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Glen Meuchel\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\cpmsky.dll
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\iTunes\bak
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Norton SystemWorks\bak
C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\SymNetDrv\bak
C:\Program Files\SymNetDrv\bak\SNDMon.exe
C:\WINDOWS\system32\cpmsky.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-06 14:44 . 2008-04-06 14:44 <DIR> d-------- C:\Program Files\Sun
2008-04-06 14:43 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-06 14:41 . 2008-04-06 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-05 16:19 . 2008-04-09 21:33 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-05 15:41 . 2008-04-05 15:41 <DIR> d-------- C:\Program Files\CCleaner
2008-04-05 07:39 . 2008-04-05 07:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 21:10 . 2008-03-31 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-31 20:04 . 2008-03-31 20:04 102 --a------ C:\WINDOWS\wininit.ini
2008-03-31 19:08 . 2008-04-05 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 16:09 . 2008-04-10 21:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-15 16:09 . 2008-03-15 16:09 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 00:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 02:34 --------- d-----w C:\Program Files\Norton SystemWorks
2008-04-06 20:43 --------- d-----w C:\Program Files\Java
2008-04-06 19:54 --------- d-----w C:\Program Files\SymNetDrv
2008-04-06 19:54 --------- d-----w C:\Program Files\QuickTime
2008-04-06 19:54 --------- d-----w C:\Program Files\iTunes
2008-04-06 03:01 --------- d-----w C:\Program Files\LegalSounds
2008-03-30 18:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 18:28 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-30 04:06 --------- d-----w C:\Documents and Settings\Glen Meuchel\Application Data\Apple Computer
2008-03-30 02:52 --------- d-----w C:\Documents and Settings\Glen Meuchel\Application Data\LimeWire
2008-03-26 02:41 --------- d-----w C:\Program Files\Microsoft Money
2008-03-26 02:03 --------- d-----w C:\Program Files\QuickTax 2007
2008-03-09 21:22 --------- d-----w C:\Program Files\TAXWIZ 2005
2008-03-09 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 14:18 --------- d-----w C:\Program Files\IntelliGolf
2004-03-11 19:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-05_16.25.29.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2007-12-18 14:32:13 450,560 ----a-w C:\WINDOWS\$hf_mig$\KB944338\SP2QFE\jscript.dll
+ 2007-12-18 14:32:13 417,792 ----a-w C:\WINDOWS\$hf_mig$\KB944338\SP2QFE\vbscript.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944338\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944338\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944338\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944338\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944338\update\updspapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\updspapi.dll
+ 2008-02-16 09:32:03 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\browseui.dll
+ 2008-02-16 09:32:03 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\cdfview.dll
+ 2008-02-16 09:32:03 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\danim.dll
+ 2008-02-16 09:32:04 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\dxtmsft.dll
+ 2008-02-16 09:32:04 205,312 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\dxtrans.dll
+ 2008-02-16 09:32:04 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\extmgr.dll
+ 2008-02-15 09:07:53 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\iedw.exe
+ 2008-02-16 09:32:04 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\iepeers.dll
+ 2008-02-16 09:32:04 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\inseng.dll
+ 2008-02-16 09:32:04 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\jsproxy.dll
+ 2008-02-16 09:32:06 3,066,880 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\mshtml.dll
+ 2008-02-16 09:32:06 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\mshtmled.dll
+ 2008-02-16 09:32:06 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\msrating.dll
+ 2008-02-16 09:32:07 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\mstime.dll
+ 2008-02-16 09:32:07 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\pngfilt.dll
+ 2008-02-16 09:32:08 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\shdocvw.dll
+ 2008-02-16 09:32:08 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\shlwapi.dll
+ 2008-02-16 09:32:08 618,496 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\urlmon.dll
+ 2008-02-16 09:32:09 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\wininet.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB947864\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB947864\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB947864\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB947864\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB947864\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
- 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-12-07 01:07:12 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-12-07 01:07:12 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-12-07 01:07:12 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-02-16 08:59:35 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-02-16 08:59:35 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 06:56:44 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-07 01:07:12 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 01:07:12 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-02-16 08:59:35 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-06 13:07:07 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-02-15 09:23:37 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-12-07 01:07:12 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-02-16 08:59:35 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-12-07 01:07:12 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-02-16 08:59:35 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-12-07 01:07:12 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 14:37:14 3,059,200 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 01:07:13 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 01:07:13 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-02-16 08:59:37 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 01:07:13 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-02-16 08:59:37 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 01:07:13 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-12-07 01:07:13 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-12-07 01:07:14 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-02-16 08:59:38 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 06:56:48 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 01:07:14 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-02-16 08:59:39 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 06:56:44 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2007-12-07 01:07:12 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-02-07 02:44:36 160,344 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-10 04:10:08 160,344 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-12-07 01:07:12 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-12-07 01:07:12 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-03-14 06:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 07:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-14 06:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 07:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 08:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 08:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-12-07 01:07:12 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 14:37:14 3,059,200 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 01:07:13 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 01:07:13 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 01:07:13 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-12-07 01:07:14 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 06:56:48 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2008-04-01 01:14:30 5,767,168 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\Glen Meuchel\NTUSER.DAT
+ 2008-04-10 04:09:11 6,553,600 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\Glen Meuchel\NTUSER.DAT
- 2008-04-01 01:14:50 237,568 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\LocalService\NTUSER.DAT
+ 2008-04-11 00:08:28 237,568 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\LocalService\NTUSER.DAT
- 2008-04-01 01:14:50 237,568 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\NetworkService\NTUSER.DAT
+ 2008-04-11 00:08:28 237,568 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\NetworkService\NTUSER.DAT
- 2008-04-01 01:14:44 2,883,584 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\Pauline Meuchel\NTUSER.DAT
+ 2008-04-10 04:09:04 2,883,584 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\Pauline Meuchel\NTUSER.DAT
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-12-07 01:07:14 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-02-16 08:59:39 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 20:12 132248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Protect"="SHVRTF.EXE" [2003-12-02 01:21 1011712 C:\WINDOWS\system32\SHVRTF.EXE]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-08 20:06 111840]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Forget Me Not.lnk - C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe [2005-04-07 22:27:24 323584]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\The Battle for Middle-earth (tm)\\game.dat"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2005-05-19 23:01]
S3 Dz3s2kxp;Dz3s2kxp;C:\WINDOWS\system32\DRIVERS\Dz3s2kxp.sys [2003-01-18 05:31]
S3 Dz3u2kxp;Dz3u2kxp;C:\WINDOWS\system32\DRIVERS\Dz3u2kxp.sys [2003-03-11 02:53]
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-05-19 23:01]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2003-03-17 17:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 04:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-03 00:32:13 C:\WINDOWS\Tasks\Check.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-05 03:14:05 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Glen Meuchel.job"
- C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exeh/task:
"2008-04-08 02:34:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-07 06:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-04-04 22:00:00 C:\WINDOWS\Tasks\{099EC89B-091E-4A32-BAB2-9DCE2B41E32E}_GLEN01_Glen Meuchel.job"
- C:\WINDOWS\system32\mobsync.exeH /Schedule=
"2008-04-07 15:00:00 C:\WINDOWS\Tasks\{15B4CAAA-C596-44E7-8BD3-1581DFC0FEF6}_GLEN01_Glen Meuchel.job"
- C:\WINDOWS\system32\mobsync.exeH /Schedule=
"2008-04-07 22:00:00 C:\WINDOWS\Tasks\{1737F5A7-0C78-42B0-9F49-3F6E9D896A2F}_GLEN01_Glen Meuchel.job"
- C:\WINDOWS\system32\mobsync.exeH /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 21:14:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-10 21:16:16 - machine was rebooted [Glen Meuchel]
ComboFix-quarantined-files.txt 2008-04-11 03:16:13
ComboFix2.txt 2008-04-05 22:25:41
Pre-Run: 58,124,967,936 bytes free
Post-Run: 58,130,075,648 bytes free
.
2008-04-10 03:33:19 --- E O F ---
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 10th, 2008, 11:37 pm

Here is the Malware log file


Malwarebytes' Anti-Malware 1.11
Database version: 611

Scan type: Quick Scan
Objects scanned: 31999
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 10th, 2008, 11:38 pm

Here is the HiJack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:48 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ebiz.pcplace.ca
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50914,1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9766596375
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50803,1
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50923,1
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn1.mosaicco.com/vdesk/termina ... ,0,50928,1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mna.corp.mosaicco.com
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8502 bytes
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby Simon V. » April 11th, 2008, 2:06 am

Hi :)

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Image

  • This will uninstall Combofix.

Make your Internet Explorer More Secure

If you are using Internet Explorer 7, please read and follow the recommendations at this site - http://surfthenetsafely.com/ieseczone8.htm

If you are using Internet Explorer 6, please read and follow the following recommendations -

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:


Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutoria ... ial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Infected with CPMSKY.BIZ

Unread postby gmeuchel » April 11th, 2008, 11:11 am

Simon
Thanks alot for all your help and advice - greatly appreciated.
Glen
gmeuchel
Active Member
 
Posts: 9
Joined: April 2nd, 2008, 8:51 pm

Re: Infected with CPMSKY.BIZ

Unread postby Simon V. » April 11th, 2008, 6:06 pm

gmeuchel wrote:Simon
Thanks alot for all your help and advice - greatly appreciated.
Glen

You're very welcome, glad I could be of assistance :)

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the username used. If the username does not match the one in the thread linked, the email will be deleted.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware