Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware driving me mad

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware driving me mad

Unread postby redbarron » June 7th, 2007, 11:26 am

I am completely new to this site, so I appologise in advance if I am in the wrong section.

Since downloading some rubbish the other day(my own fault I know) I am constantly getting bombarded with advertising malware popping up, even when not connected to the net. I already have a pop up blocker, but it does not seem to be helping with everything. Sometimes the advert shows, other times the screen just keeps flashing.

The other thing that happens is, when typing something, I look up at to see what I have typed only to see that it has frozen and not completed the line of text.

I have Norton Antivirus 2007, which I checked for latest updates and ran a full scan, but it didn't show up anything.

I have already run a host of spyware and malware programs which did show up loads of trojan stuff but has'nt fixed the problem. I'm getting to the point of thinking *od it and doing a complete reinstall of windows.


Hope you can help.


Moved from "Suggestions and Requests". E.
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am
Advertisement
Register to Remove

Unread postby Elrond » June 7th, 2007, 11:52 am

Hi I am Elrond.

I will try to help you.
The first thing we need is a HijackThis log so that we can start analysing what you have on your computer.

Use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Browse to that location with windows explorer, and double click on the HijackThis.exe program to run. Choose the 'Do a system scan and save a logfile'
That will allow you to save the log to the desktop (or some other place) and leave open a notepad file with the HijackThis log in it.

Now post your HijackThis log into this topic. Use Ctrl+C to copy it to the clipboard and then post it to this topic with Ctrl+V.

We will take it from there. If there is anything you are unsure of please ask.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby redbarron » June 7th, 2007, 12:02 pm

Thanks Elrond,

Will do. may not be able to get back to you untill tomorrow.
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Unread postby redbarron » June 7th, 2007, 12:10 pm

Hi Elrond.

Here is the HijackThis log.


Logfile of HijackThis v1.99.1
Scan saved at 17:07:23, on 07/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephen Hunt\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {482ff3b4-c7d7-4e99-8e3b-b3f79a938e2a} - C:\WINDOWS\system32\mim40u.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A4830C61-017B-4A41-93D3-369ACD2C1BD1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing)
O2 - BHO: (no name) - {CCFBEFDF-702D-4BB2-A267-102907F4F6FE} - (no file)
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINDOWS\system32\tmp94.tmp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - blank (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AudioHQU] "C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\yaabby.dll",realset
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Philips Intelligent Agent] "C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - blank
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - blank
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0231038202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5469937527
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal ... reQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3344DE3A-CFB0-46A0-B796-C5B6FF0BC438}: NameServer = 212.104.130.9 212.104.130.65
O20 - AppInit_DLLs: c:\windows\system32\jkhgfdd.dll
O20 - Winlogon Notify: mim40u - C:\WINDOWS\SYSTEM32\mim40u.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Any update yet

Unread postby redbarron » June 8th, 2007, 6:55 am

Hi Elrond,

Just enquiring to see if there has been any progress.

I hope you can come up with a fix soon, as I am getting fed up with the constant adverts, text freezing when typing, internet connection starting up each time on it's own and even web pages that I am viewing being suddenly closed intermitantly.

Fingers crossed.

Thank you.

RB
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Unread postby Elrond » June 13th, 2007, 7:18 pm

Hi redbarron

Sorry for not answering you before. I had some serious problems with my E-mail related to a server change and I never got the information that you had answered. :( :oops:

You are now on my list of active logs so hopefuly it should not happen again.


Go to http://virusscan.jotti.org or to http://www.virustotal.com/en/indexf.html
Put this line into the white textbox:
C:\WINDOWS\SYSTEM32\mim40u.dll

Click Submit.

Please post the results of this scan to this thread

Repeat for the following

c:\windows\system32\jkhgfdd.dll
C:\WINDOWS\system32\tmp94.tmp.dll



Next I would like you to Open "HijackThis". Click on "Open Misc.Tool Section".
Use the scroll bar on the right and scroll down to "Open Uninstall Manager". Click it.
On the right you will find "Save List". Click it.
The log that you just saved will appear.
Use "Copy" and "Paste" to add it to your next post.


1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please do a new HijackThis scan and post the results from Jotti or Virustoal together with the logs from "Uninstall Manager", Combofix, and HijackThis.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby redbarron » June 16th, 2007, 12:52 pm

Hi Elrond,

Just got back of holiday today, so only just read you're message. Will try and carry out you're requests asap.

Thanks.
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Unread postby Elrond » June 16th, 2007, 3:56 pm

Hope you had a nice holiday. Good to have you back. Will see if we can do something about your computer. :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Requested test results

Unread postby redbarron » June 18th, 2007, 7:08 am

Scanner results
Scan taken on 18 Jun 2007 10:04:49 (GMT)
A-Squared Found nothing
AntiVir Found TR/Agent.37420
ArcaVir Found Adware.Virtumonde.Ke
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found MemScan:Trojan.Virtumonde.IF
ClamAV Found nothing
Dr.Web Found Trojan.Virtumod
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.ke (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.ke
NOD32 Found nothing
Norman Virus Control Found W32/Virtumonde.GXY
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Virtumonde.ke

____________________________________________________

Scanner results
Scan taken on 18 Jun 2007 10:11:52 (GMT)
A-Squared Found Trojan-Downloader.Win32.ConHook.bg
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found Trojan.Downloader.Conhook.Bg
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.ConHook.bg
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.ConHook.bg
NOD32 Found nothing
Norman Virus Control Found Virtumonde.GYA
Panda Antivirus Found Trj/ConHook.CV
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.ConHook.bg

________________________________________________________

Could not obtain results for C:\WINDOWS\system32\tmp94.tmp.dll
I just got the reply below.
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

_________________________________________________________

Uninstall List

1Click DVD Copy Pro 2.3.1.6
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 2.1
Adobe PhotoDeluxe Home Edition 4.0
Adobe Photoshop CS2
Adobe Photoshop Elements
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AppCore
Apple Software Update
AV
Bonusprint Pix
ccCommon
Dell Photo Printer 720
Dr SpeedTouch
DVD43 v3.9.0
EPSON PhotoQuicker3.5
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
FavOrg
FinePixViewer Ver.5.3
Flickr Uploadr 2.3
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Internet Worm Protection
IPIX ActiveX Viewer
IPIX Viewer
iPod for Windows 2006-01-10
iPod for Windows 2006-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.1_07
Java(TM) SE Runtime Environment 6 Update 1
Lightscribe Extended Label Contrast Utility
LimeWire PRO 4.12.6
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft ActiveX Control Pad
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Links 2003
Microsoft Money
Microsoft Money System Pack
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Musicmatch® Jukebox
Nero 6 Ultra Edition
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
NVIDIA Drivers
Paint Shop Pro 7 Anniversary Edition
Philips Intelligent Agent
PIF DESIGNER2.1
PowerDVD
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Sound Blaster Live! Web 2K/XP
SPBBC 32bit
SpeedTouch USB Software
Symantec
Symantec Network Driver Update
Symantec Technical Support Web Controls
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Yahoo! Toolbar

___________________________________________________________


Combofix Results

"Stephen Hunt" - 2007-06-18 11:38:24 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkhgfdd.dll
C:\WINDOWS\system32\MFCmal.dll
C:\WINDOWS\system32\qopqrsp.dll
C:\WINDOWS\system32\vtspnnl.dll
C:\WINDOWS\cbbbcy.dll
C:\WINDOWS\mlifef.dll
C:\WINDOWS\xxvwwx.dll
C:\WINDOWS\system32\awttu.exe
C:\WINDOWS\system32\geeby.exe
C:\WINDOWS\system32\iiife.exe
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\pmklk.exe
C:\WINDOWS\system32\rqrom.exe
C:\WINDOWS\system32\wvurr.exe
C:\WINDOWS\system32\xxyvs.exe
C:\WINDOWS\ycbbbc.ini
C:\WINDOWS\fefilm.ini
C:\WINDOWS\xwwvxx.ini
C:\WINDOWS\system32\mim40u.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp32.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp60.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp66.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp6A.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp71.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp72.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp78.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp8D.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp8E.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp91.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp93.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmp96.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmpA6.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmpDC.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmpDE.tmp.exe
C:\DOCUME~1\STEPHE~1\APPLIC~1\tmpE.tmp.exe
C:\Program Files\outlook
C:\Program Files\outlook\p.zip


((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


2007-06-18 11:36 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 07:56 46,336 --a------ C:\WINDOWS\system32\tmpE.tmp.dll
2007-06-17 17:04 <DIR> d-------- C:\Program Files\Thomson
2007-06-17 09:45 <DIR> d-------- C:\Program Files\iTunes
2007-06-07 18:13 <DIR> d-------- C:\DOCUME~1\STEPHE~1\APPLIC~1\TrojanHunter
2007-06-05 14:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-05 12:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-05 11:04 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-03 12:38 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-06-03 12:38 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-06-03 12:38 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-06-03 12:38 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-06-03 12:38 <DIR> d-------- C:\Program Files\Ahead


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 09:58:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-18 09:58:03 -------- d-----w C:\Program Files\EPSON
2007-06-18 06:59:32 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80611102}.dat
2007-06-18 06:59:32 24 ----a-w C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80611102}.dat
2007-06-17 15:19:07 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-17 08:46:30 -------- d-----w C:\Program Files\iPod
2007-06-05 10:26:52 -------- d-----w C:\DOCUME~1\STEPHE~1\APPLIC~1\Lavasoft
2007-06-03 11:38:21 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-29 09:33:50 -------- d-----w C:\Program Files\FinePixViewer
2007-05-28 13:30:48 -------- d-----w C:\Program Files\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 15:28:38 22,960 ----a-w C:\DOCUME~1\STEPHE~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-13 08:40:15 -------- d-----w C:\Program Files\QuickTime
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-15 08:27:09 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2004-08-04 07:56:57 73,728 --sha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-01-16 17:19:06 4,608 --sha-r C:\WINDOWS\system\DRIVER\cygcrypt-0.dll
2005-01-16 17:19:06 1,140,617 --sha-r C:\WINDOWS\system\DRIVER\cygwin1.dll
2005-01-28 11:30:22 1,478 --sha-r C:\WINDOWS\system\DRIVER\servicelogon.dll
2005-10-24 15:23:20 2,529 --sha-r C:\WINDOWS\system\DRIVER\servicesmgr.dll
2005-01-28 11:30:22 1,477 --sh--r C:\WINDOWS\system\DRIVER\svchostlogon.dll
2005-10-24 15:23:18 1,679 --sha-r C:\WINDOWS\system\DRIVER\winlogon.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-07 17:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=blank []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 02:22]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-09 20:10]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 20:10]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 14:26]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"AudioHQU"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE" [2002-01-18 02:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Philips Intelligent Agent"="C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe" [2007-03-06 11:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"STManager"="C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" [2003-10-16 13:25]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\jkhgfdd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
backup=C:\WINDOWS\pss\MySoftware NewsFlash.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Stephen Hunt^Start Menu^Programs^Startup^iMesh.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskAd Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\media_manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "C:\WINDOWS\yaxvuv.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZipToA"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-06-17 08:34:11 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-04-15 08:24:58 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Stephen Hunt.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 11:53:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-18 11:57:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-18 11:57

--- E O F ---

______________________________________________________

New Hijack This Results

Logfile of HijackThis v1.99.1
Scan saved at 12:03:13, on 18/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Stephen Hunt\Desktop\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A4830C61-017B-4A41-93D3-369ACD2C1BD1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing)
O2 - BHO: (no name) - {CCFBEFDF-702D-4BB2-A267-102907F4F6FE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - blank (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AudioHQU] "C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Philips Intelligent Agent] "C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - blank
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - blank
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0231038202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5469937527
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal ... reQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - AppInit_DLLs: c:\windows\system32\jkhgfdd.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Stephen Hunt\Application Data\tmp8.tmp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe



Hi Elrond,

Hope these results help. I don't know if I mentioned it earlier, but my internet connection also keeps auto connecting and not showing a program that it is connected to. Could this also be linked to my Malware nightmare?
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Update

Unread postby redbarron » June 18th, 2007, 9:51 am

Hi Elrond,

I don't know if it is just coincidence, but since running the 'Combofix' software, all normality seems to have returned. No constant advertising pop up's and no auto internet connecting or text freezing.

It can't be that simple, surely :?

From all the data I sent you, there must be something that needs attention.

Perhaps I'm just being led into a sense of false security. Fingers crossed I'm not :)

Until proven otherwise I remain the pessimist.


Look forward to hearing from you.

Regards

redbarron
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Unread postby Elrond » June 18th, 2007, 1:54 pm

So far so good. :) However there is still more to do.:(

  1. Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C:) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with these yet!
  2. Now close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: (no name) - {A4830C61-017B-4A41-93D3-369ACD2C1BD1} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing)
    O2 - BHO: (no name) - {CCFBEFDF-702D-4BB2-A267-102907F4F6FE} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - blank (file missing)
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O20 - AppInit_DLLs: c:\windows\system32\jkhgfdd.dll
    O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Stephen Hunt\Application Data\tmp8.tmp.exe (file missing)


    Click on Fix Checked when finished and exit HijackThis.
  3. Restart the into Safe Mode:
    Restart the computer. When the BIOS has finished loading (before Windows starts loading) start rapidly tapping the "F8". A menu opens. Select "Safe Mode". The computer will start in safe mode.
    This can be tricky. If Windows starts up in normal mode, repeat the process. If you have a keyboard with a "F Lock" key click it so that the "F" light above it is on when you start tapping the "F8" key. The startup in safe mode takes some time and while it is doing so it shows you a black screen with the words "Safe Mode"
  4. Using Windows Explorer, locate the following files and delete them (Let me know if you can not find them. It is noprblem but it is important for me to know):

    C:\WINDOWS\yaxvuv.dll
    c:\windows\system32\jkhgfdd.dll
    C:\Documents and Settings\Stephen Hunt\Application Data\tmp8.tmp.exe (file missing)

  5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon Image and select alcanshorty.bfu
    • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.
  6. Do a new HijackThis scan and post the log.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

File location help please

Unread postby redbarron » June 19th, 2007, 7:35 am

Hi Elrond,

Hunted high and low for the following file, but cannot find them.


C:\WINDOWS\yaxvuv.dll
c:\windows\system32\jkhgfdd.dll
C:\Documents and Settings\Stephen Hunt\Application Data\tmp8.tmp.exe (file missing)


Regards

rb :(
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Clarification Please for Brute Force and Alcra Plus location

Unread postby redbarron » June 19th, 2007, 7:58 am

Right click the BFU folder on your desktop, and choose Extract All.


When I right click there is nothing in the drop down menu that says 'Extract All'.

So what I have done is creat a folder manually in 'My Computer' C: and named it BFU and placed the two files there.

The trouble is, when looking at you're instructions at the end about 'double clicking BFU.exe' there is no exe.

Is it just a case of double clicking the alcanshorty file in the folder and let it do it's thng?

Regards

rb
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Forgot to mention.

Unread postby redbarron » June 19th, 2007, 8:00 am

Obviously I won't do any of the last message untill the completion of sections 3 and 4.


Regards

rb
redbarron
Regular Member
 
Posts: 18
Joined: June 7th, 2007, 10:51 am

Unread postby Elrond » June 19th, 2007, 11:05 am

Sorry about your hunting high and low for those files. They are probably deleted. No problem.

We will check if we need to make that pesky program run.

Try this:

Limewire is a filesharing program. In itself it is clean but any file-sharing program is a risk. In reality, your computer is being used by others and you have no idea if the files you download are clean. It is a major vector for spreading malware. If you want to keep it I will have to ask not to use it while we are cleaning up the computor. My recomendation is to remove it but that decision is up to you.

  1. Use the Add/Remove Programs to remove Java 2 Runtime Environment, SE v1.4.1_07.
    1. Click on Start.
    2. Click on Control Panel.
    3. If you need to, click on "Switch to classic view"
    4. Double-click on the Add/Remove Programs icon.
    5. Select the Java 2 Runtime Environment, SE v1.4.1_07 Application if you find it.
    6. Click on the Add/Remove button.

    If you decide to remove Limewire then
  2. repeat point 5 and 6 above for LimeWire PRO 4.12.6
  3. Once the program has uninstalled, click on the OK button.


Reboot the computer.

Download SDFix and save it to your desktop.

Restart the computer. When the BIOS has finished loading (before Windows starts loading) start rapidly tapping the "F8". A menu opens. Select "Safe Mode". The computer will start in safe mode.
This can be tricky. If Windows starts up in normal mode, repeat the process. If you have a keyboard with a "F Lock" key click it so that the "F" light above it is on when you start tapping the "F8" key. The startup in safe mode takes some time and while it is doing so it shows you a black screen with the words "Safe Mode"

Run SDFix
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Please run Combofix again.

Run another HijackThis scan and post the logs from SDFix, Combofix and HijackThis.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware