Karl`s PC Help Forums

Hijack this for Pancake
Redwolf5150 - 27-3-2008 at 02:29

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:24 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:Program FilesIntelWirelessBinWLKeeper.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesTrend MicroBMTMBMSRV.exe
C:Program FilesCanonCALCALMAIN.exe
C:PROGRA~1TRENDM~1INTERN~1TmPfw.exe
C:Program FilesIntelWirelessBinZcfgSvc.exe
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesTrend MicroInternet SecurityTmProxy.exe
C:WINDOWSExplorer.EXE
C:PROGRA~1IntelWirelessBin1XConfig.exe
C:Program FilesIntelWirelessBinifrmewrk.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe
C:Program FilesJavaj2re1.4.2_03binjusched.exe
C:Program FilesMusicmatchMusicmatch Jukeboxmm_tray.exe
C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesCyberLinkPowerDVDDVDLauncher.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesDellQuickSetquickset.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Program FilesApointApoint.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesApointApntex.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:PROGRA~1MOZILL~1FIREFOX.EXE

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/yme/*http://www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: GNX Rolex - {2899EA9F-F4E4-4B4B-8ECB-6AB7B33679CB} - C:WINDOWSdrnpfdxwso.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:Program FilesNetZeroqsaccx1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dlatfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:Program FilesNetZerotoolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:Program FilesNetZeroToolbar.dll
O3 - Toolbar: etlrlws - {D78079D0-619E-432B-9D06-41BDD4ACAF5F} - C:WINDOWSetlrlws.dll (file missing)
O4 - HKLM..Run: [IntelWireless] C:Program FilesIntelWirelessBinifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM..Run: [UfSeAgnt.exe] "C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_03binjusched.exe
O4 - HKLM..Run: [MMTray] "C:Program FilesMusicmatchMusicmatch Jukeboxmm_tray.exe"
O4 - HKLM..Run: [mmtask] "C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe"
O4 - HKLM..Run: [ISUSScheduler] "C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [ISUSPM Startup] C:PROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [DVDLauncher] "C:Program FilesCyberLinkPowerDVDDVDLauncher.exe"
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dlatfswctrl.exe
O4 - HKLM..Run: [Dell QuickSet] C:Program FilesDellQuickSetquickset.exe
O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [Apoint] C:Program FilesApointApoint.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [ISUSPM] "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [OE] "C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe"
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKLM..PoliciesExplorerRun: [tlemXEAc3L] C:WINDOWSctkxelmn.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:Program FilesNetZeroqsaccappres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:Program FilesNetZeroqsaccappres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_03binnpjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_03binnpjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O21 - SSODL: UnknownUnknown - {e265ee7a-0da5-47e0-997b-79ae661cd1ac} - C:WINDOWSInstaller{e265ee7a-0da5-47e0-997b-79ae661cd1ac}UnknownUnknown.dll
O21 - SSODL: zip - {7492ac38-7748-4071-ac4c-1afad222cf96} - C:WINDOWSInstaller{7492ac38-7748-4071-ac4c-1afad222cf96}zip.dll
O21 - SSODL: bokpkov - {C64A848D-0823-44F2-BFBD-624F8A1CBBA5} - C:WINDOWSbokpkov.dll
O21 - SSODL: altvxvm - {CA72C594-8F85-4F46-9812-320366AF164B} - C:WINDOWSaltvxvm.dll
O23 - Service: McAfee Application Installer Cleanup (0116541186004792) (0116541186004792mcinstcleanup) - Unknown owner - C:DOCUME~1MELISS~1LOCALS~1Temp11654~1.EXE (file missing)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:Program FilesCanonCALCALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:Program FilesIntelWirelessBinEvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:Program FilesIntelWirelessBinRegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:Program FilesIntelWirelessBinS24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:Program FilesTrend MicroBMTMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:PROGRA~1TRENDM~1INTERN~1TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecurityTmProxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:Program FilesIntelWirelessBinWLKeeper.exe

--
End of file - 10672 bytes


SRD - 27-3-2008 at 07:53

Shrove Tuesday was weeks ago, you can't expect pancakes for another year. :D


LSemmens - 27-3-2008 at 12:20

We can do anything here, Simon!

There are a couple of things that I don't recognise, Jamie, but Pancake should be along, presently!


Redwolf5150 - 27-3-2008 at 14:29

Oh, this is one sick laptop my soon-to-be stepdaughter-in-law has.

:(


Pancake - 27-3-2008 at 21:48

You have a bit of malware to remove..


Please download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Report.txt will also be copied to Clipboard ready for posting back on the forum).

Please copy and paste that log in your next reply.
=================================


Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please visit this webpage for download links, and instructions for running the tool


When the tool is finished, it will produce a report for you. Please copy and paste the "C:ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a security analyst.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


Redwolf5150 - 28-3-2008 at 00:29

Well the nasties are keeping the computer from connecting to the Internet.

I've been downloading the programs to MY machine and transfering them on CD-ROM. Once I have everything installed, I shouldn't need the CD drive again until it's finished running and I need to copy the reports.

kewl_glasses


Pancake - 28-3-2008 at 23:56

Ok..No rush.


Redwolf5150 - 29-3-2008 at 00:04

Here's the SDFix report:

--------------------------------

SDFix: Version 1.163

Run by melissa schaaf on Fri 03/28/2008 at 06:31 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:WINDOWSInstaller{e265ee7a-0da5-47e0-997b-79ae661cd1ac}UnknownUnknown.dll - Deleted
C:WINDOWSInstaller{7492ac38-7748-4071-ac4c-1afad222cf96}zip.dll - Deleted
C:Documents and Settingsmelissa schaafDesktopError Cleaner.url - Deleted
C:Documents and Settingsmelissa schaafFavoritesError Cleaner.url - Deleted
C:Documents and Settingsmelissa schaafDesktopPrivacy Protector.url - Deleted
C:Documents and Settingsmelissa schaafFavoritesPrivacy Protector.url - Deleted
C:Documents and Settingsmelissa schaafDesktopSpyware&Malware Protection.url - Deleted
C:Documents and Settingsmelissa schaafFavoritesSpyware&Malware Protection.url - Deleted
C:WINDOWSdrnpfdxwso.dll - Deleted
C:DOCUME~1MELISS~1LOCALS~1Tempac8zt2.dat - Deleted
C:WINDOWSaltvxvm.dll - Deleted
C:WINDOWSbokpkov.dll - Deleted
C:WINDOWSfmsxwqs.exe - Deleted
C:WINDOWSiTunesMusic.exe - Deleted
C:WINDOWSrs.txt - Deleted



Folder C:WINDOWSInstaller{e265ee7a-0da5-47e0-997b-79ae661cd1ac} - Removed
Folder C:WINDOWSInstaller{7492ac38-7748-4071-ac4c-1afad222cf96} - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 18:42:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBTHPORTParametersKeys002720c41d0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBTHPORTParametersKeys002720d730d]
[HKEY_LOCAL_MACHINESYSTEMControlSet003ServicesBTHPORTParametersKeys002720c41d0]
[HKEY_LOCAL_MACHINESYSTEMControlSet003ServicesBTHPORTParametersKeys002720d730d]

scanning hidden registry entries ...

scanning hidden files ...

C:WINDOWSSoftwareDistributionDataStoreLogstmp.edb

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\PopCap Games\BookWorm Deluxe\BookWorm.exe"="C:\Program Files\PopCap Games\BookWorm Deluxe\BookWorm.exe:*:Disabled:BookWorm"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:SDFixbackupsbackups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:Program FilesSpybot - Search & DestroySDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:Program FilesSpybot - Search & DestroySpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:Program FilesSpybot - Search & DestroyTeaTimer.exe"
Mon 19 Sep 2005 4,348 A.SH. --- "C:Documents and SettingsDefault UserDRMDRMv1.bak"
Sun 1 Jul 2007 0 A.SH. --- "C:Documents and SettingsDefault UserDRMCacheIndiv02.tmp"
Thu 20 Mar 2008 16,732 A.SH. --- "C:Program FilesTrend MicroInternet SecurityQuarantineF5.tmp"
Thu 20 Mar 2008 16,732 A.SH. --- "C:Program FilesTrend MicroInternet SecurityQuarantineF6.tmp"
Thu 20 Mar 2008 16,732 A.SH. --- "C:Program FilesTrend MicroInternet SecurityQuarantineF7.tmp"
Thu 20 Mar 2008 16,732 A.SH. --- "C:Program FilesTrend MicroInternet SecurityQuarantineF8.tmp"
Thu 20 Mar 2008 16,596 ..SHR --- "C:Program FilesTrend MicroInternet SecurityQuarantinetmp0.exe"
Thu 20 Mar 2008 16,596 ..SHR --- "C:Program FilesTrend MicroInternet SecurityQuarantinetmp1.exe"
Thu 20 Mar 2008 16,596 ..SHR --- "C:Program FilesTrend MicroInternet SecurityQuarantinetmp2.exe"
Thu 20 Mar 2008 16,596 ..SHR --- "C:Program FilesTrend MicroInternet SecurityQuarantinetmp3.exe"

Finished!


Redwolf5150 - 29-3-2008 at 00:07

Okay, when I tried to get Combofix to extract, first it said that I needed administrator priveledges when this computer only has one account, which is designated the administrator.

After rebooting again, Spybot popped up registry warnings on the follow:

System Startup Global Entry
Grpconv

And

Command processor value deleted
Autorun.

I denied both and got nowhere.

Should I allow these?


Pancake - 29-3-2008 at 00:40

Combofix is programed to stop auto runs.This is to stop things from interfearing with the scan....

Try this....

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.


"%userprofile%desktopcombofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Redwolf5150 - 29-3-2008 at 01:46

ComboFix 08-03-27.1 - melissa schaaf 2008-03-28 20:07:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -5:00]
Running from: C:Documents and Settingsmelissa schaafdesktopcombofix.exe
Command switches used :: /killall
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:Documents and Settingsmelissa schaafDesktopblackbird.jpg
C:Documents and Settingsmelissa schaafDesktopEditorFKWP1.5.exe
C:Documents and Settingsmelissa schaafDesktopEditorFKWP2.0.exe
C:Documents and Settingsmelissa schaafDesktopfilemanagerclient.exe
C:Documents and Settingsmelissa schaafDesktopfkwp1.5.exe
C:Documents and Settingsmelissa schaafDesktopfkwp2.0.exe
C:Documents and Settingsmelissa schaafDesktopfwebd.exe
C:Documents and Settingsmelissa schaafDesktopFWebdEditor.exe
C:Documents and Settingsmelissa schaafDesktopTrojan.Win32.BlackBird.exe
C:Documents and Settingsmelissa schaafDesktopvirii
C:WINDOWSa.bat
C:WINDOWSbase64.tmp
C:WINDOWSbdn.com
C:WINDOWSFVProtect.exe
C:WINDOWSmssecu.exe
C:WINDOWSsystem32bszip.dll
C:WINDOWSsystem32akttzn.exe
C:WINDOWSsystem32anticipator.dll
C:WINDOWSsystem32awtoolb.dll
C:WINDOWSsystem32bdn.com
C:WINDOWSsystem32bsva-egihsg52.exe
C:WINDOWSsystem32dpcproxy.exe
C:WINDOWSsystem32emesx.dll
C:WINDOWSsystem32h@tkeysh@@k.dll
C:WINDOWSsystem32hoproxy.dll
C:WINDOWSsystem32hxiwlgpm.dat
C:WINDOWSsystem32hxiwlgpm.exe
C:WINDOWSsystem32medup012.dll
C:WINDOWSsystem32medup020.dll
C:WINDOWSsystem32msgp.exe
C:WINDOWSsystem32msnbho.dll
C:WINDOWSsystem32mssecu.exe
C:WINDOWSsystem32msvchost.exe
C:WINDOWSsystem32mtr2.exe
C:WINDOWSsystem32mwin32.exe
C:WINDOWSsystem32netode.exe
C:WINDOWSsystem32newsd32.exe
C:WINDOWSsystem32ps1.exe
C:WINDOWSsystem32psof1.exe
C:WINDOWSsystem32psoft1.exe
C:WINDOWSsystem32regc64.dll
C:WINDOWSsystem32regm64.dll
C:WINDOWSsystem32Rundl1.exe
C:WINDOWSsystem32smp
C:WINDOWSsystem32smpmsrc.exe
C:WINDOWSsystem32sncntr.exe
C:WINDOWSsystem32ssurf022.dll
C:WINDOWSsystem32ssvchost.com
C:WINDOWSsystem32ssvchost.exe
C:WINDOWSsystem32sysreq.exe
C:WINDOWSsystem32taack.dat
C:WINDOWSsystem32taack.exe
C:WINDOWSsystem32temp#01.exe
C:WINDOWSsystem32thun.dll
C:WINDOWSsystem32thun32.dll
C:WINDOWSsystem32VBIEWER.OCX
C:WINDOWSsystem32vbsys2.dll
C:WINDOWSsystem32vcatchpi.dll
C:WINDOWSsystem32winlogonpc.exe
C:WINDOWSsystem32winsystem.exe
C:WINDOWSsystem32WINWGPX.EXE
C:WINDOWSuserconfig9x.dll
C:WINDOWSWebdef.htm
C:WINDOWSwinsystem.exe
C:WINDOWSzip1.tmp
C:WINDOWSzip2.tmp
C:WINDOWSzip3.tmp
C:WINDOWSzipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-28 18:29 . 2008-03-28 18:29 <DIR> d-------- C:WINDOWSERUNT
2008-03-28 18:16 . 2008-03-28 18:45 <DIR> d-------- C:SDFix
2008-03-26 18:04 . 2007-12-24 18:37 138,384 --a------ C:WINDOWSsystem32driverstmcomm.sys
2008-03-25 19:43 . 2008-03-25 19:44 56,320 --ahs---- C:WINDOWSThumbs.db
2008-03-25 19:43 . 2008-03-25 19:51 19,968 --ahs---- C:WINDOWSsystem32Thumbs.db
2008-03-24 19:32 . 2008-03-24 19:32 1,158 --a------ C:WINDOWSmozver.dat
2008-03-24 19:26 . 2008-03-25 22:09 <DIR> d-------- C:Documents and Settingsmelissa schaaf.housecall6.6
2008-03-23 22:58 . 2008-03-23 22:58 <DIR> d-------- C:Documents and Settingsmelissa schaafApplication DataMSNInstaller
2008-03-23 22:58 . 2008-03-23 22:58 <DIR> d-------- C:DOCUME~1MELISS~1APPLIC~1MSNInstaller
2008-03-23 22:11 . 2008-03-23 22:11 <DIR> d-------- C:Program FilesPC-Cleaner
2008-03-12 16:16 . 2008-03-12 16:16 <DIR> d-------- C:Documents and Settingsmelissa schaafApplication DataYahoo!
2008-03-12 16:16 . 2008-03-12 16:16 <DIR> d-------- C:DOCUME~1MELISS~1APPLIC~1Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 02:22 --------- d-----w C:Program FilesWindows Media Connect 2
2008-03-27 02:22 --------- d-----w C:Program FilesWal-Mart Music Downloads Store
2008-03-27 02:22 --------- d-----w C:Program FilesNetZero
2008-03-27 02:22 --------- d-----w C:Program FilesNetWaiting
2008-03-27 02:22 --------- d-----w C:Program FilesModem Helper
2008-03-27 02:22 --------- d-----w C:Program FilesHP DeskJet 690C Series
2008-03-27 02:22 --------- d-----w C:Program FilesApoint
2008-03-27 01:54 --------- d-----w C:Program FilesTrend Micro
2008-03-24 23:44 --------- d-----w C:DOCUME~1ALLUSE~1APPLIC~1Spybot - Search & Destroy
2008-03-24 04:46 --------- d-----w C:Program FilesSpybot - Search & Destroy
2008-02-16 04:37 65,936 ----a-w C:WINDOWSsystem32driverstmtdi.sys
2008-02-16 04:37 333,328 ----a-w C:WINDOWSsystem32driversTM_CFW.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~Browser Helper Objects{2899EA9F-F4E4-4B4B-8ECB-6AB7B33679CB}]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 05:00 15360]
"ISUSPM"="C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" [2006-09-11 05:40 218032]
"MSMSGS"="C:Program FilesMessengermsmsgs.exe" [2004-10-13 11:241694208]
"OE"="C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe" [2007-09-17 10:29 488712]
"SpybotSD TeaTimer"="C:Program FilesSpybot - Search & DestroyTeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"IntelWireless"="C:Program FilesIntelWirelessBinifrmewrk.exe" [2004-10-30 14:59 385024]
"TkBellExe"="C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" [2006-01-07 21:24 180269]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:WINDOWSsystem32bthprops.cpl]
"UfSeAgnt.exe"="C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe" [2008-02-16 00:56 1398024]
"SunJavaUpdateSched"="C:Program FilesJavaj2re1.4.2_03binjusched.exe" [2003-11-19 17:48 32881]
"MMTray"="C:Program FilesMusicmatchMusicmatch Jukeboxmm_tray.exe" [2006-01-17 13:03 135168]
"mmtask"="C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe" [2006-01-17 13:03 53248]
"ISUSScheduler"="C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe" [2006-09-11 05:40 86960]
"ISUSPM Startup"="C:PROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe" [2006-09-11 05:40 218032]
"DVDLauncher"="C:Program FilesCyberLinkPowerDVDDVDLauncher.exe" [2005-02-23 16:19 53248]
"dla"="C:WINDOWSsystem32dlatfswctrl.exe" [2004-12-06 01:05 127035]
"Dell QuickSet"="C:Program FilesDellQuickSetquickset.exe" [2005-03-0411:26 606208]
"ATIPTA"="C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe" [2004-08-31 21:10 339968]
"Apoint"="C:Program FilesApointApoint.exe" [2005-01-31 16:35 155648]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyIntelWireless]
C:Program FilesIntelWirelessBinLgNotify.dll 2004-09-07 16:08 110592 C:Program FilesIntelWirelessBinLgNotify.dll

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
backup=C:WINDOWSpss$McRebootA5E6DEAA56$.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:WINDOWSpssAdobe Gamma Loader.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:WINDOWSpssQuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringTrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringTrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Messenger\msmsgs.exe"=
"C:\Program Files\PopCap Games\BookWorm Deluxe\BookWorm.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe [2004-10-04 05:47]
R2 HPFECP16;HPFECP16;C:WINDOWSsystem32driversHPFECP16.SYS [1998-07-01 01:55]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe [2004-10-04 04:40]
S2 0116541186004792mcinstcleanup;McAfee Application Installer Cleanup (0116541186004792);C:DOCUME~1MELISS~1LOCALS~1Temp011654~1.EXE C:PROGRA~1COMMON~1McAfeeINSTAL~1cleanup.ini
S3 n558;N558 Bluetooth USB Filter Driver;C:WINDOWSsystem32Driversn558.sys [2007-08-15 07:27]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 20:14:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:WINDOWSsystem32winlogon.exe
-> C:WINDOWSsystem32Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:Program FilesIntelWirelessBinWLKeeper.exe
C:WINDOWSSystem32SCardSvr.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesIntelWirelessBinRegSrvc.exe
C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
C:Program FilesTrend MicroBMTMBMSRV.exe
C:Program FilesCanonCALCALMAIN.exe
C:PROGRA~1TRENDM~1INTERN~1TmPfw.exe
C:Program FilesIntelWirelessBinZcfgSvc.exe
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesTrend MicroInternet SecurityTmProxy.exe
C:PROGRA~1IntelWirelessBin1XConfig.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesApointApntex.exe
.
**************************************************************************
.
Completion time: 2008-03-28 20:18:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 01:18:02
Pre-Run: 45,139,066,880 bytes free
Post-Run: 45,140,312,064 bytes free
.
2008-03-25 23:00:31 --- E O F ---


Pancake - 29-3-2008 at 05:49

Please turn your BBCode off for your next reply.You will find it just below the reply box....



We need to install your Recovery Console first.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System


[bad img]http://i254.photobucket.com/albums/hh103/velta911/KB310994.gif[/bad img]


Download the file & save it as its originally named, next to ComboFix.exe.



[bad img]http://i254.photobucket.com/albums/hh103/velta911/rc1.gif[/bad img]


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.


Redwolf5150 - 30-3-2008 at 18:13

Okay, got the recovery console drug over to the Combofix.

Now whenever we try to start combo fix (using the "run" method above as clicking on it doesn't work) we get a pop-up saying

NIRCMD.COM application error.

Trend is also treating that file as a threat, apparently, and blocking it.

Now what?


Pancake - 30-3-2008 at 21:31

NIRCMD.COM is not a problem.Trend Micro will be picking this up as an unwanted tool.Just as a way of explaination....It is an unfortunate choice of words for what it found but in brief but a Potentially unwanted tool is a applications that began as hacker tools or Trojans and has been now used by legitimate programs to help detect malware.It are not a threat.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

[quote]

Killall::

File::
C:WINDOWSThumbs.db
C:WINDOWSsystem32Thumbs.db

[/quote]

Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe which is on the Desktop.


[IMG]http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif[/IMG]

Refering to the picture above, drag [b]CFScript.txt[/b] into ComboFix.exe


When finished, it shall produce a log for you at [b]C:ComboFix.txt[/b]

Please [b]copy and paste [/b] the [b]ComboFix.txt[/b] along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


Redwolf5150 - 30-3-2008 at 23:15

How do you clear the first log it generated?

It won't let us access the new log, just keeps popping up the first log.

confused2


Pancake - 31-3-2008 at 02:08

There should be a log for each time it was run so you should be able to find the txt file and delete it..


Redwolf5150 - 31-3-2008 at 03:19

Quote:
Originally posted by Pancake
There should be a log for each time it was run so you should be able to find the txt file and delete it..


But it's saying we cannot access the log after we run it.

Then the first log pops up in the notepad window.

confused2


Pancake - 31-3-2008 at 04:01

Ok...lets fool it...Remove it and clear it with this..

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

Quote:


ComboFix /u




Then download and do a scan with a new copy

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe