• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
NvrBst

POPUps with IE

3 posts in this topic

My problem was simular to the one in the topic below, so I followed its instructions and it got ride of my "C:\WINDOWS\svchost.exe" which is good :) But I still get POPUps (Pop up blocker usally blocks them but it unfocus my window for about 1 second while it does).

 

http://www.spywareinfoforum.com/index.php?sh...mp;#entry542730

 

Heres basically everything I did in order.

 

Ran NOD32 Anti-Virus (Updated) - Found Nothing

Ran Lavasoft Ad-Aware SE Professional (Updated) - Found Minor (Green) Stuff

Ran TREND MICRO HouseCall 6.5 - It found 5 things and fixed them

Ran Spybot - S&D - It found 3 things and removed... they kept coming back after restarts.

 

*Found that Forum Above with simular problem to me - followed its steps*

 

Ran Safe Mode > SDFix.exe

Ran Normal Mode > Clear All Cookies / TEMP Folders

Ran Normal Mode > Dr.Web CureIt

Ran Safe Mode > Hijack This (Removed 2 Entries)

-----O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\svchost.exe

-----O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\pmkkkk.dll",realset

Ran Safe Mode > OTMoveIt.exe ((Removed "C:\WINDOWS\svchost.exe"... Said File was Already Gone))

Ran Normal Mode > ComboFix© by sUBs

 

*Restarted* Ran Spybot - S&D. It found 1 thing wrong which it then removed.

*Restarted* Ran Spybot - S&D again. It found nothing.

 

TheJoker in the above topic asked for logfiles from the guy so I'll post all the ones that got created in the steps I did, including the latest HijackThis at the end.

 

SDFix - Report.txt

SDFix: Version 1.85

Run by Administrator - 31/05/2007 - 12:46:13.93

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 






Restoring Windows Registry Values
Restoring Windows Default Hosts File 

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\svchost.exe - Deleted
C:\WINDOWS\system32\~.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



							 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\SysReset\\mirc.exe"="C:\\Program Files\\SysReset\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Proxy Checker\\PCv7.exe"="C:\\Program Files\\Proxy Checker\\PCv7.exe:*:Enabled:Proxy Checker v7.4"
"C:\\Program Files\\MultiProxy\\MProxy.exe"="C:\\Program Files\\MultiProxy\\MProxy.exe:*:Enabled:MultiProxy personal proxy server"
"C:\\Program Files\\StarNet\\X-Win32 6.1\\xwin32.exe"="C:\\Program Files\\StarNet\\X-Win32 6.1\\xwin32.exe:*:Enabled:X-Win32 PC X Server"
"C:\\Program Files\\ProxyPlus\\ProxyPlus.exe"="C:\\Program Files\\ProxyPlus\\ProxyPlus.exe:*:Enabled:Proxy server & cache for Windows95, 98, NT"
"C:\\MATLAB701\\bin\\win32\\MATLAB.exe"="C:\\MATLAB701\\bin\\win32\\MATLAB.exe:*:Disabled:MATLAB"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Datarescue Ida Pro [4.80.847 Advanced.Final.SSG-NoInstall]\\ida\\idag.exe"="C:\\Program Files\\Datarescue Ida Pro [4.80.847 Advanced.Final.SSG-NoInstall]\\ida\\idag.exe:*:Enabled:Interactive Disassembler (32-bit)"
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\uTorrent [NoInstall]\\utorrent.exe"="C:\\Program Files\\uTorrent [NoInstall]\\utorrent.exe:*:Enabled:utorrent"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:VNC Server Enterprise Edition for Win32"
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"="C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe:*:Enabled:VNC Viewer Enterprise Edition for Win32"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:MSI starter"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe:*:Enabled:MSI starter"
"C:\\Program Files\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\Program Files\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Serv-U\\ServUDaemon.exe"="C:\\Program Files\\Serv-U\\ServUDaemon.exe:*:Enabled:Serv-U FTP Server"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Enabled:rakion"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\NEXON\\MapleStory\\Patcher.exe"="C:\\Program Files\\NEXON\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\NEXON\\MapleStory\\NewPatcher.exe"="C:\\Program Files\\NEXON\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"D:\\wowclient-downloader.exe"="D:\\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\WINDOWS\\svchost.exe"="C:\\WINDOWS\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\7B772AC6E1.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

							 Finished

 

 

DrWeb - Report.txt

tmp107C.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp1156.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp24F.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp2B9.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp31D.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp37.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp455.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp456.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp459.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp46.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp4E.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp567.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp580.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp5ED.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp8B8.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp8FA.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmpFD8.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmpFF2.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
0XPHGSCA.NQF;C:\Program Files\ESET\infected;Probably DLOADER.Trojan;;
IO30A2AA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Puce;Deleted.;
nmcogame.dll;C:\Program Files\LuniaGSP_CB;Probably DLOADER.Trojan;;
ServUDaemon.exe;C:\Program Files\Serv-U;Program.ServUServer.5210;;
mirc.exe;C:\Program Files\SysReset;Program.mIRC.61;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
HGStart9USA.exe;C:\WINDOWS\Downloaded Program Files;Probably DLOADER.Trojan;;

 

ComboFix.txt

"Never Best" - 2007-05-31 15:29:43	Service Pack 2  
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Never Best\Desktop\"


((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\tmp1156.tmp.dll"
"C:\WINDOWS\system32\tmp24F.tmp.dll"
"C:\WINDOWS\system32\tmp37.tmp.dll"
"C:\WINDOWS\system32\tmp455.tmp.dll"
"C:\WINDOWS\system32\tmp456.tmp.dll"
"C:\WINDOWS\system32\tmp567.tmp.dll"
"C:\WINDOWS\system32\tmp5ED.tmp.dll"
"C:\WINDOWS\system32\tmpFD8.tmp.dll"


(((((((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm


(((((((((((((((((((((((((((((((   Files Created from 2007-04-28 to 2007-05-31  ))))))))))))))))))))))))))))))))))


2007-05-31 13:06	<DIR>	d--------	C:\Documents and Settings\Never Best\DoctorWeb
2007-05-31 13:06	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\DoctorWeb
2007-05-31 12:40	786,432	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-31 11:32	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-31 02:39	106,431	--a------	C:\WINDOWS\pmkkkk.dll
2007-05-31 02:13	<DIR>	d--------	C:\Documents and Settings\Never Best\.housecall6.6
2007-05-31 02:13	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\.housecall6.6
2007-05-30 23:57	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\Uniblue
2007-05-30 23:56	<DIR>	d--------	C:\Program Files\Uniblue
2007-05-30 23:35	<DIR>	d--------	C:\Program Files\QuickTime
2007-05-30 18:00	106,482	--a------	C:\WINDOWS\ddaxwt.dll
2007-05-30 15:22	58,796	--a------	C:\WINDOWS\rrhtt.exe
2007-05-30 15:22	37,535	--a------	C:\WINDOWS\system32\arpdex.dll
2007-05-30 15:22	12,010	--a------	C:\WINDOWS\system32\pmnnopn.dll
2007-05-30 14:06	<DIR>	d--------	C:\Program Files\CCleaner
2007-05-24 20:22	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nexon
2007-05-24 13:12	<DIR>	d--------	C:\Program Files\LuniaGSP_CB
2007-05-16 15:06	<DIR>	d--------	C:\Program Files\Google
2007-05-16 15:06	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\Google
2007-05-10 14:06	<DIR>	d--------	C:\Program Files\Common Files\Blizzard Entertainment
2007-05-09 20:59	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\IGN_DLM
2007-05-08 21:55	<DIR>	d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-02 20:34	<DIR>	d--------	C:\Program Files\Nexon
2007-05-02 19:28	<DIR>	d--h-----	C:\WINDOWS\HUL
2007-04-16 02:20	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\HP
2007-04-16 02:18	<DIR>	d--------	C:\Program Files\Common Files\HP
2007-04-16 02:16	<DIR>	d--------	C:\Program Files\Hewlett-Packard
2007-04-16 02:15	77,824	-ra------	C:\WINDOWS\system32\HPZIDS01.dll
2007-04-16 02:15	38,400	--a------	C:\WINDOWS\system32\hpz3l054.dll
2007-04-16 02:12	94,208	--a------	C:\WINDOWS\system32\HPZipt12.dll
2007-04-16 02:12	69,632	--a------	C:\WINDOWS\system32\HPZipm12.exe
2007-04-16 02:12	65,536	--a------	C:\WINDOWS\system32\HPZinw12.exe
2007-04-16 02:12	57,344	--a------	C:\WINDOWS\system32\HPZisn12.dll
2007-04-16 02:12	282,680	--a------	C:\WINDOWS\system32\HPZidr12.dll
2007-04-16 02:12	204,800	--a------	C:\WINDOWS\system32\HPZipr12.dll
2007-04-16 02:10	<DIR>	d--------	C:\Program Files\HP
2007-04-16 02:00	117,129	--a------	C:\WINDOWS\hpoins11.dat
2007-04-01 18:25	<DIR>	d--------	C:\Program Files\Combined Community Codec Pack


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 09:04:30	--------	d-----w	C:\DOCUME~1\NEVERB~1\APPLIC~1\uTorrent
2007-05-31 06:34:36	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-05-29 22:11:53	--------	d-----w	C:\Program Files\Serv-U
2007-05-16 06:01:04	--------	d-----w	C:\DOCUME~1\NEVERB~1\APPLIC~1\POP Peeper
2007-05-09 06:42:25	--------	d-----w	C:\Program Files\Cheat Engine
2007-05-07 22:14:40	--------	d-----w	C:\Program Files\SysReset
2007-05-07 20:50:25	--------	d-----w	C:\Program Files\Emulation
2007-05-03 20:05:58	--------	d-----w	C:\Program Files\POP Peeper
2007-04-23 04:22:15	--------	d-----w	C:\Program Files\1 to 4a Renamer [NoInstall]
2007-04-18 20:49:55	--------	d-----w	C:\Program Files\Macro Express3
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll
2007-04-05 18:56:01	6,784	----a-w	C:\WINDOWS\system32\drivers\scsk4.sys
2007-03-31 04:01:35	--------	d-----w	C:\Program Files\Microsoft Works
2007-03-23 13:07:56	1,683,280	------w	C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 13:07:54	583,504	------w	C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 03:25:02	124,928	------w	C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01	292,864	----a-w	C:\WINDOWS\system32\winsrv.dll
2007-03-15 02:19:56	95,864	----a-w	C:\WINDOWS\system32\NeroCo.dll
2007-03-08 15:36:28	577,536	----a-w	C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28	40,960	----a-w	C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28	281,600	----a-w	C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48	1,843,584	----a-w	C:\WINDOWS\system32\win32k.sys
2005-10-18 06:15:10	80	--sh--r	C:\WINDOWS\system32\7B772AC6E1.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{eef33a30-5cf7-4339-a11c-05bde745e9c2}=C:\WINDOWS\system32\arpdex.dll [2007-05-30 15:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-01-21 20:30]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"POP Peeper"="C:\Program Files\POP Peeper\POPPeeper.exe" [2006-11-15 21:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arpdex]
arpdex.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\pmnnopn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 15:42:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-31 15:47:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-31 15:47

--- E O F ---

 

ComboFix-quarantined-files.txt

2007-05-30 17:55	  39262	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp24F.tmp.dll.vir
2007-05-30 18:14	  39262	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp567.tmp.dll.vir
2007-05-30 23:55	  39283	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpFD8.tmp.dll.vir
2007-05-31 00:02	  39283	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp1156.tmp.dll.vir
2007-05-31 01:57	  39120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp37.tmp.dll.vir
2007-05-31 02:24	  39120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp455.tmp.dll.vir
2007-05-31 02:24	  39120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp456.tmp.dll.vir
2007-05-31 02:35	  39283	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp5ED.tmp.dll.vir
2007-05-31 15:39	  1302	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NM.reg.cf
2007-05-31 15:39	  276	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf
2007-05-31 15:39	  7020	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Folder PATH listing
Volume serial number is 34BD-B271
C:\QOOBOX
\---Quarantine
+---C
|   \---WINDOWS
|	   \---system32
|			   tmp1156.tmp.dll.vir
|			   tmp24F.tmp.dll.vir
|			   tmp37.tmp.dll.vir
|			   tmp455.tmp.dll.vir
|			   tmp456.tmp.dll.vir
|			   tmp567.tmp.dll.vir
|			   tmp5ED.tmp.dll.vir
|			   tmpFD8.tmp.dll.vir
|			   
\---Registry_backups
		LEGACY_NM.reg.cf
		LEGACY_NPF.reg.cf
		services_nm.reg.cf

 

Latest HijackThis.txt (Done No other scans after this)

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:44:50 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
D:\!SpyWare Rem\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.94.33.10:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {eef33a30-5cf7-4339-a11c-05bde745e9c2} - C:\WINDOWS\system32\arpdex.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} - http://download.livemath.com/activex/AXTNS.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125745758890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131501136546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1470001B-724D-4EBA-B939-294990C99E84}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: c:\windows\system32\pmnnopn.dll
O20 - Winlogon Notify: arpdex - C:\WINDOWS\SYSTEM32\arpdex.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7559 bytes

Edited by NvrBst

Share this post


Link to post
Share on other sites

Very Sorry :) Problem got fixed with applying the following RegKeys

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arpdex]

 

and OTMoveIt ing the following

c:\windows\system32\pmnnopn.dll

C:\WINDOWS\SYSTEM32\arpdex.dll

 

 

Thanks :)

 

 

EDIT:

--------------Also removed HijackThis Entries--------------

O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp704.tmp.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {eef33a30-5cf7-4339-a11c-05bde745e9c2} - C:\WINDOWS\system32\arpdex.dll (file missing)

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\urrsss.dll",realset

O20 - AppInit_DLLs: c:\windows\system32\pmnnopn.dll

O20 - Winlogon Notify: arpdex - arpdex.dll (file missing)

 

--------------And OTMoveIt--------------

C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp704.tmp.exe

C:\WINDOWS\system32\tmp704.tmp.dll

C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp70F.tmp.exe

C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp706.tmp.exe

C:\WINDOWS\urrsss.dll

C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp1C0.tmp.exe

C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp26F.tmp.exe

C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp26D.tmp.exe

C:\WINDOWS\khefca.dll

C:\WINDOWS\pmkkkk.dll

C:\WINDOWS\ddaxwt.dll

C:\WINDOWS\rrhtt.exe

C:\WINDOWS\urrsss.dll

 

And ran another ComboFix

Edited by NvrBst

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0