Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Damsel in distress- please help! Wixawin pop ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 13th, 2008, 4:38 am

Hello!

I let my nephew play some games on my work laptop- huge mistake as I now have become infected with malware.
I keep getting these pop ups from wixawin and from some other advertising anti spyware software.
I have panda installed on the laptop from work, I have disabled this as I'm on maternity leave and don't get frequent updates. In stead I have AVG free, the latest edition. I have also run spybot search and destroy, cc cleaner and ad-aware. Ad-aware finds some minor infections, however, it doesn't seem to get rid of the problem completely. (I got my programs from filehippo.com if that is information of any use)
I got a warning saying I had a trojan on my computer a week ago that I thought I got rid of, but now Im not so sure.
As I turned on my lap top this morning, it was asking me to install ethernet of some kind...Im wondering if this thing that has infected my computer is already working hard at messing things up.

Update: just got a message from AVG, saying it found two trojans that could'nt be removed as the speciefied file was not found. Gosh, I really feel this is over my head.
Can anyone please help????? Thank you!

Taarantula
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am
Advertisement
Register to Remove

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Shaba » August 18th, 2008, 4:09 am

Hi Taarantula

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 19th, 2008, 4:52 pm

Hello!

Since it took so long before I got a reply, I took my computer to the computerguy at work. Picked it up today after he assured me the problem was fixed. I turn on my computer and the wixawin popups are still there!

Anywho, here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:10, on 19.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Panda Security\Panda Antivirus 2008\ApvxdWin.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Wireless Console 2\wcourier.exe
C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
C:\Programfiler\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe
C:\Programfiler\ASUS\Splendid\ACMON.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\acovcnt.exe
C:\Programfiler\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\ToshibaBTServer.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11 ... ?clid=1044
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programfiler\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programfiler\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ACMON] C:\Programfiler\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Net4Switch] C:\Programfiler\ASUS\Net4Switch\Net4Switch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MultiFrame.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.eurofoto.no/uploader/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxx.local
O17 - HKLM\Software\..\Telephony: DomainName = xxxxxx.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxx.local
O20 - Winlogon Notify: TPLogon - TPLogon.dll (file missing)
O20 - Winlogon Notify: __c00EC766 - C:\WINDOWS\system32\__c00EC766.dat
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe

--
End of file - 8486 bytes
Last edited by Taarantula on August 20th, 2008, 4:58 am, edited 1 time in total.
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Shaba » August 20th, 2008, 3:44 am

Yes you are still infected.

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 20th, 2008, 4:54 am

Wow, so impressed that someone is actually able to look through all that information and see problems! :cheers:

Heres my combofix log:
(I have x'ed out names)

ComboFix 08-08-18.05 - Xxxxx 2008-08-20 10:34:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1525 [GMT 2:00]
Running from: C:\Documents and Settings\Xxxxx.XXXXXX\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xxxxx.XXXXXX\Skrivebord\WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-20 00:34 . 2008-08-20 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com
2008-08-20 00:33 . 2008-08-20 00:33 <DIR> d-------- C:\Documents and Settings\Xxxxx.XXXXXX\Programdata\SUPERAntiSpyware.com
2008-08-20 00:32 . 2008-08-20 00:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-08-20 00:24 . 2008-08-20 10:15 <DIR> dr-h----- C:\Documents and Settings\Xxxxx.XXXXXX\Siste
2008-08-19 23:05 . 2008-08-19 23:39 <DIR> d-------- C:\Programfiler\EsetOnlineScanner
2008-08-19 22:51 . 2008-08-20 00:08 <DIR> d-------- C:\Programfiler\Trend Micro
2008-08-15 12:02 . 2008-08-19 22:34 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-08-15 12:02 . 2007-09-28 13:24 83,896 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-08-15 12:02 . 2007-03-15 18:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-08-15 12:02 . 2008-08-15 12:02 246 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-08-15 11:49 . 2008-08-15 11:49 4,124 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-15 11:42 . 2008-08-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avg8
2008-08-15 11:38 . 2008-08-15 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\sentinel
2008-08-15 08:44 . 2008-08-15 12:02 <DIR> d-------- C:\Programfiler\Panda Security
2008-08-15 08:36 . 2008-08-15 08:36 15,661 --a------ C:\WINDOWS\LpAGENT.XML
2008-08-15 08:36 . 2008-08-15 08:36 821 --a------ C:\WINDOWS\LeAGENT.XML
2008-08-15 08:34 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 08:31 . 2008-08-15 08:31 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-08-15 08:31 . 2005-11-16 10:08 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-08-12 14:51 . 2008-08-12 14:51 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab Setup Files
2008-08-12 11:12 . 2008-08-12 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 06:34 45,056 ----a-w C:\WINDOWS\system32\acovcnt.exe
2008-08-15 10:02 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-08-15 09:37 --------- d-----w C:\Programfiler\Spybot - Search & Destroy
2008-08-15 09:36 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy
2008-08-09 21:05 --------- d-----w C:\Programfiler\Java
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:33 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:23 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:22 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:43 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:43 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\dllcache\bthport.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"SUPERAntiSpyware"="C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-08-23 23:22 110592]
"RemoteControl"="C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 00:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 00:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 00:17 118784]
"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 03:26 761945]
"Wireless Console 2"="C:\Programfiler\Wireless Console 2\wcourier.exe" [2005-10-17 18:09 987136]
"ATKMEDIA"="C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 17:29 53248]
"ASUS Live Update"="C:\Programfiler\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 16:20 180224]
"Power_Gear"="C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 18:13 86016]
"ACMON"="C:\Programfiler\ASUS\Splendid\ACMON.exe" [2006-02-21 20:36 17920]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 22:14 61440]
"Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]
"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 00:34 544768 C:\WINDOWS\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Bluetooth Manager.lnk - C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-02-02 23:19:10 1753088]
MultiFrame.lnk - C:\Programfiler\ASUS\Asus MultiFrame\MultiFrame.exe [2007-01-04 21:52:46 491520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Documents and Settings\Xxxxx\Skrivebord\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Documents and Settings\Xxxxx\Skrivebord\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe"= C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19226:TCP"= 19226:TCP:ENABLE
"19226:UDP"= 19226:UDP:ENABLE

R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-12-28 09:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-12-18 11:45]
S3 D100IB;D100IB;C:\WINDOWS\system32\DRIVERS\D100IB5.SYS [2001-10-06 13:42]
S3 USBSAMP;based USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\DFSTOR2K.SYS [2001-09-28 09:47]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Xxxxx.XXXXXX\Programdata\Mozilla\Firefox\Profiles\xcjpne3n.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 10:36:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 10:36:45
ComboFix-quarantined-files.txt 2008-08-20 08:36:43
ComboFix2.txt 2008-08-19 23:02:23

Pre-Run: 32,764,942,848 byte ledig
Post-Run: 32,745,722,368 byte ledig

WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

143 --- E O F --- 2008-08-15 10:47:08


AND heres my new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39, on 2008-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe
C:\Programfiler\ASUS\Splendid\ACMON.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programfiler\ASUS\Asus MultiFrame\MultiFrame.exe
C:\WINDOWS\system32\acovcnt.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\ToshibaBTServer.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\avciman.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Xxxxx.XXXXXX\Skrivebord\Fjernelort\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11 ... ?clid=1044
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programfiler\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programfiler\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ACMON] C:\Programfiler\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MultiFrame.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.eurofoto.no/uploader/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxx.local
O17 - HKLM\Software\..\Telephony: DomainName = xxxxxx.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxx.local
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Xxxxx\Skrivebord\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe

--
End of file - 8249 bytes
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Shaba » August 20th, 2008, 5:08 am

OK, that looks like to be fine.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 20th, 2008, 6:57 am

Thank you so much for helping out!
I don't get to run the Kaspersky, it tells me that I need java version 1.5 or later in order to do the online scan.
The only option I get with the Kaspersky scan is exit, the accept button will not be clicked.

Is there a safe place where I can get java 1.5?
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Shaba » August 20th, 2008, 7:55 am

You have it, it is maybe settings thing.

Which browser you tried with that scan?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 20th, 2008, 9:18 am

I used IE, should I try Mozilla firefox instead?
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Shaba » August 20th, 2008, 10:09 am

Yes please :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 20th, 2008, 11:25 am

Mozilla let me perform the Kaspersky scan! Here's the results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 20, 2008 14:03:41
Records in database: 1113861
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
O:\
V:\
Y:\

Scan statistics:
Files scanned: 45831
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:50:32


File name / Threat name / Threats count
C:\Documents and Settings\Xxxxx.XXXXXX\Skrivebord\virusfix\SmitfraudFix.zip Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.


Heres the HJT log after the Kaspersky scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14, on 2008-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Wireless Console 2\wcourier.exe
C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
C:\Programfiler\ASUS\ASUS Live Update\ALU.exe
C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe
C:\Programfiler\ASUS\Splendid\ACMON.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe
C:\WINDOWS\system32\acovcnt.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programfiler\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\ToshibaBTServer.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Xxxxx\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11 ... ?clid=1044
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programfiler\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programfiler\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ACMON] C:\Programfiler\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [A00F888BEE.exe] C:\DOCUME~1\XXXXX~1.VAN\LOKALE~1\Temp\_A00F888BEE.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MultiFrame.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.eurofoto.no/uploader/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxx.local
O17 - HKLM\Software\..\Telephony: DomainName = xxxxxx.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxx.local
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Xxxxx\Skrivebord\SASWINLO.dll
O20 - Winlogon Notify: __c0096791 - C:\WINDOWS\system32\__c0096791.dat
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe

--
End of file - 8672 bytes
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Shaba » August 20th, 2008, 11:29 am

Looks like there is a downloader.

I will need to know full file path here:

C:\DOCUME~1\XXXXX~1.VAN\LOKALE~1\Temp\_A00F888BEE.exe
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 20th, 2008, 3:34 pm

Would this be the full path? (Copied from my HJT log after the Kaspersky scan was performed)

O4 - HKCU\..\Run: [A00F888BEE.exe] C:\DOCUME~1\XXXXX~1.VAN\LOKALE~1\Temp\_A00F888BEE.exe
Last edited by Taarantula on August 20th, 2008, 5:21 pm, edited 1 time in total.
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Shaba » August 20th, 2008, 3:55 pm

Yes :)

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\DOCUME~1\xxxxx.VAN\LOKALE~1\Temp\_A00F888BEE.exe
C:\WINDOWS\system32\__c0096791.dat


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Damsel in distress- please help! Wixawin pop ups

Unread postby Taarantula » August 20th, 2008, 5:57 pm

ATF cleaner done!
Here's my combofix log as prompted by the CFScript document followed by my HJT log:


ComboFix 08-08-19.03 - Xxxxx 2008-08-20 23:39:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1329 [GMT 2:00]
Running from: C:\Documents and Settings\Xxxxx.XXXXXX\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xxxxx.XXXXXX\Skrivebord\CFScript.txt
* Created a new restore point

FILE ::
C:\DOCUME~1\XXXXX~1.VAN\LOKALE~1\Temp\_A00F888BEE.exe
C:\WINDOWS\system32\__c0096791.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\XXXXX~1.VAN\LOKALE~1\Temp\_A00F888BEE.exe
C:\WINDOWS\system32\__c0096791.dat
C:\WINDOWS\system32\~.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-20 00:34 . 2008-08-20 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com
2008-08-20 00:33 . 2008-08-20 00:33 <DIR> d-------- C:\Documents and Settings\Xxxxx.XXXXXX\Programdata\SUPERAntiSpyware.com
2008-08-20 00:32 . 2008-08-20 00:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-08-20 00:24 . 2008-08-20 23:36 <DIR> dr-h----- C:\Documents and Settings\Xxxxx.XXXXXX\Siste
2008-08-19 23:05 . 2008-08-19 23:39 <DIR> d-------- C:\Programfiler\EsetOnlineScanner
2008-08-19 22:51 . 2008-08-20 00:08 <DIR> d-------- C:\Programfiler\Trend Micro
2008-08-15 12:02 . 2008-08-19 22:34 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-08-15 12:02 . 2007-09-28 13:24 83,896 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-08-15 12:02 . 2007-03-15 18:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-08-15 12:02 . 2008-08-15 12:02 246 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-08-15 11:49 . 2008-08-15 11:49 4,124 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-15 11:42 . 2008-08-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avg8
2008-08-15 11:38 . 2008-08-15 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\sentinel
2008-08-15 08:44 . 2008-08-15 12:02 <DIR> d-------- C:\Programfiler\Panda Security
2008-08-15 08:36 . 2008-08-15 08:36 15,661 --a------ C:\WINDOWS\LpAGENT.XML
2008-08-15 08:36 . 2008-08-15 08:36 821 --a------ C:\WINDOWS\LeAGENT.XML
2008-08-15 08:34 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 08:31 . 2008-08-15 08:31 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-08-15 08:31 . 2005-11-16 10:08 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-08-12 14:51 . 2008-08-12 14:51 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab Setup Files
2008-08-12 11:12 . 2008-08-12 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 09:55 --------- d-----w C:\Programfiler\Java
2008-08-15 10:02 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-08-15 09:37 --------- d-----w C:\Programfiler\Spybot - Search & Destroy
2008-08-15 09:36 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-20_ 1.01.51.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-19 23:00:03 45,056 ----a-w C:\WINDOWS\system32\acovcnt.exe
+ 2008-08-20 21:45:12 45,056 ----a-w C:\WINDOWS\system32\acovcnt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"SUPERAntiSpyware"="C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-08-23 23:22 110592]
"RemoteControl"="C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 00:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 00:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 00:17 118784]
"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 03:26 761945]
"Wireless Console 2"="C:\Programfiler\Wireless Console 2\wcourier.exe" [2005-10-17 18:09 987136]
"ATKMEDIA"="C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 17:29 53248]
"ASUS Live Update"="C:\Programfiler\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 16:20 180224]
"Power_Gear"="C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 18:13 86016]
"ACMON"="C:\Programfiler\ASUS\Splendid\ACMON.exe" [2006-02-21 20:36 17920]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 22:14 61440]
"Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]
"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 00:34 544768 C:\WINDOWS\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Bluetooth Manager.lnk - C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-02-02 23:19:10 1753088]
MultiFrame.lnk - C:\Programfiler\ASUS\Asus MultiFrame\MultiFrame.exe [2007-01-04 21:52:46 491520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Documents and Settings\Xxxxx\Skrivebord\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Documents and Settings\Xxxxx\Skrivebord\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe"= C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19226:TCP"= 19226:TCP:ENABLE
"19226:UDP"= 19226:UDP:ENABLE

R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-12-28 09:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-12-18 11:45]
S3 D100IB;D100IB;C:\WINDOWS\system32\DRIVERS\D100IB5.SYS [2001-10-06 13:42]
S3 USBSAMP;based USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\DFSTOR2K.SYS [2001-09-28 09:47]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c0096791 - C:\WINDOWS\system32\__c0096791.dat



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 23:44:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Programfiler\ASUS\Asus MultiFrame\HookTitle.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programfiler\Panda Security\Panda Antivirus 2008\PAVSRV51.EXE
C:\Programfiler\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagentwd.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\PavPrSrv.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrlS.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\acovcnt.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\ToshibaBTServer.exe
.
**************************************************************************
.
Completion time: 2008-08-20 23:47:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-20 21:46:59
ComboFix2.txt 2008-08-20 08:36:46
ComboFix3.txt 2008-08-19 23:02:23

Pre-Run: 34,760,928,768 byte ledig
Post-Run: 34,789,667,840 byte ledig

157 --- E O F --- 2008-08-15 10:47:08



HJT log after Combofix prompted by CFScript:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:56, on 2008-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Wireless Console 2\wcourier.exe
C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
C:\Programfiler\ASUS\ASUS Live Update\ALU.exe
C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe
C:\Programfiler\ASUS\Splendid\ACMON.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe
C:\WINDOWS\system32\acovcnt.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programfiler\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\ToshibaBTServer.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Panda Security\Panda Antivirus 2008\avciman.exe
C:\Programfiler\internet explorer\iexplore.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11 ... ?clid=1044
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\ASUSTeK\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programfiler\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Programfiler\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programfiler\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programfiler\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ACMON] C:\Programfiler\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Documents and Settings\Xxxxx\Skrivebord\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MultiFrame.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.eurofoto.no/uploader/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxx.local
O17 - HKLM\Software\..\Telephony: DomainName = xxxxxx.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxx.local
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Xxxxx\Skrivebord\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Programfiler\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe

--
End of file - 8574 bytes
Last edited by Taarantula on August 22nd, 2008, 9:33 am, edited 1 time in total.
Taarantula
Active Member
 
Posts: 14
Joined: August 12th, 2008, 9:28 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 495 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware