Jump to content


Photo

POPUps with IE


  • Please log in to reply
2 replies to this topic

#1 NvrBst

NvrBst

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 31 May 2007 - 08:56 PM

My problem was simular to the one in the topic below, so I followed its instructions and it got ride of my "C:\WINDOWS\svchost.exe" which is good :) But I still get POPUps (Pop up blocker usally blocks them but it unfocus my window for about 1 second while it does).

http://www.spywarein...mp;#entry542730

Heres basically everything I did in order.

Ran NOD32 Anti-Virus (Updated) - Found Nothing
Ran Lavasoft Ad-Aware SE Professional (Updated) - Found Minor (Green) Stuff
Ran TREND MICRO HouseCall 6.5 - It found 5 things and fixed them
Ran Spybot - S&D - It found 3 things and removed... they kept coming back after restarts.

*Found that Forum Above with simular problem to me - followed its steps*

Ran Safe Mode > SDFix.exe
Ran Normal Mode > Clear All Cookies / TEMP Folders
Ran Normal Mode > Dr.Web CureIt
Ran Safe Mode > Hijack This (Removed 2 Entries)
-----O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\svchost.exe
-----O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\pmkkkk.dll",realset
Ran Safe Mode > OTMoveIt.exe ((Removed "C:\WINDOWS\svchost.exe"... Said File was Already Gone))
Ran Normal Mode > ComboFix© by sUBs

*Restarted* Ran Spybot - S&D. It found 1 thing wrong which it then removed.
*Restarted* Ran Spybot - S&D again. It found nothing.

TheJoker in the above topic asked for logfiles from the guy so I'll post all the ones that got created in the steps I did, including the latest HijackThis at the end.

SDFix - Report.txt
SDFix: Version 1.85

Run by Administrator - 31/05/2007 - 12:46:13.93

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 






Restoring Windows Registry Values
Restoring Windows Default Hosts File 

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\svchost.exe - Deleted
C:\WINDOWS\system32\~.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



								 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\SysReset\\mirc.exe"="C:\\Program Files\\SysReset\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Proxy Checker\\PCv7.exe"="C:\\Program Files\\Proxy Checker\\PCv7.exe:*:Enabled:Proxy Checker v7.4"
"C:\\Program Files\\MultiProxy\\MProxy.exe"="C:\\Program Files\\MultiProxy\\MProxy.exe:*:Enabled:MultiProxy personal proxy server"
"C:\\Program Files\\StarNet\\X-Win32 6.1\\xwin32.exe"="C:\\Program Files\\StarNet\\X-Win32 6.1\\xwin32.exe:*:Enabled:X-Win32 PC X Server"
"C:\\Program Files\\ProxyPlus\\ProxyPlus.exe"="C:\\Program Files\\ProxyPlus\\ProxyPlus.exe:*:Enabled:Proxy server & cache for Windows95, 98, NT"
"C:\\MATLAB701\\bin\\win32\\MATLAB.exe"="C:\\MATLAB701\\bin\\win32\\MATLAB.exe:*:Disabled:MATLAB"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Datarescue Ida Pro [4.80.847 Advanced.Final.SSG-NoInstall]\\ida\\idag.exe"="C:\\Program Files\\Datarescue Ida Pro [4.80.847 Advanced.Final.SSG-NoInstall]\\ida\\idag.exe:*:Enabled:Interactive Disassembler (32-bit)"
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\uTorrent [NoInstall]\\utorrent.exe"="C:\\Program Files\\uTorrent [NoInstall]\\utorrent.exe:*:Enabled:utorrent"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:VNC Server Enterprise Edition for Win32"
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"="C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe:*:Enabled:VNC Viewer Enterprise Edition for Win32"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:MSI starter"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe:*:Enabled:MSI starter"
"C:\\Program Files\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\Program Files\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Serv-U\\ServUDaemon.exe"="C:\\Program Files\\Serv-U\\ServUDaemon.exe:*:Enabled:Serv-U FTP Server"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Enabled:rakion"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\NEXON\\MapleStory\\Patcher.exe"="C:\\Program Files\\NEXON\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\NEXON\\MapleStory\\NewPatcher.exe"="C:\\Program Files\\NEXON\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"D:\\wowclient-downloader.exe"="D:\\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\WINDOWS\\svchost.exe"="C:\\WINDOWS\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\7B772AC6E1.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

								 Finished


DrWeb - Report.txt
tmp107C.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp1156.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp24F.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp2B9.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp31D.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp37.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp455.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp456.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp459.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp46.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp4E.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp567.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp580.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp5ED.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmp8B8.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
tmp8FA.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmpFD8.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.Packed.49;Deleted.;
tmpFF2.tmp.exe;C:\Documents and Settings\Never Best\Application Data;Trojan.DownLoader.19433;Deleted.;
0XPHGSCA.NQF;C:\Program Files\ESET\infected;Probably DLOADER.Trojan;;
IO30A2AA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Puce;Deleted.;
nmcogame.dll;C:\Program Files\LuniaGSP_CB;Probably DLOADER.Trojan;;
ServUDaemon.exe;C:\Program Files\Serv-U;Program.ServUServer.5210;;
mirc.exe;C:\Program Files\SysReset;Program.mIRC.61;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
HGStart9USA.exe;C:\WINDOWS\Downloaded Program Files;Probably DLOADER.Trojan;;

ComboFix.txt
"Never Best" - 2007-05-31 15:29:43	Service Pack 2  
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Never Best\Desktop\"


((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\tmp1156.tmp.dll"
"C:\WINDOWS\system32\tmp24F.tmp.dll"
"C:\WINDOWS\system32\tmp37.tmp.dll"
"C:\WINDOWS\system32\tmp455.tmp.dll"
"C:\WINDOWS\system32\tmp456.tmp.dll"
"C:\WINDOWS\system32\tmp567.tmp.dll"
"C:\WINDOWS\system32\tmp5ED.tmp.dll"
"C:\WINDOWS\system32\tmpFD8.tmp.dll"


(((((((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm


(((((((((((((((((((((((((((((((   Files Created from 2007-04-28 to 2007-05-31  ))))))))))))))))))))))))))))))))))


2007-05-31 13:06	<DIR>	d--------	C:\Documents and Settings\Never Best\DoctorWeb
2007-05-31 13:06	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\DoctorWeb
2007-05-31 12:40	786,432	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-31 11:32	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-31 02:39	106,431	--a------	C:\WINDOWS\pmkkkk.dll
2007-05-31 02:13	<DIR>	d--------	C:\Documents and Settings\Never Best\.housecall6.6
2007-05-31 02:13	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\.housecall6.6
2007-05-30 23:57	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\Uniblue
2007-05-30 23:56	<DIR>	d--------	C:\Program Files\Uniblue
2007-05-30 23:35	<DIR>	d--------	C:\Program Files\QuickTime
2007-05-30 18:00	106,482	--a------	C:\WINDOWS\ddaxwt.dll
2007-05-30 15:22	58,796	--a------	C:\WINDOWS\rrhtt.exe
2007-05-30 15:22	37,535	--a------	C:\WINDOWS\system32\arpdex.dll
2007-05-30 15:22	12,010	--a------	C:\WINDOWS\system32\pmnnopn.dll
2007-05-30 14:06	<DIR>	d--------	C:\Program Files\CCleaner
2007-05-24 20:22	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nexon
2007-05-24 13:12	<DIR>	d--------	C:\Program Files\LuniaGSP_CB
2007-05-16 15:06	<DIR>	d--------	C:\Program Files\Google
2007-05-16 15:06	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\Google
2007-05-10 14:06	<DIR>	d--------	C:\Program Files\Common Files\Blizzard Entertainment
2007-05-09 20:59	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\IGN_DLM
2007-05-08 21:55	<DIR>	d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-02 20:34	<DIR>	d--------	C:\Program Files\Nexon
2007-05-02 19:28	<DIR>	d--h-----	C:\WINDOWS\HUL
2007-04-16 02:20	<DIR>	d--------	C:\DOCUME~1\NEVERB~1\APPLIC~1\HP
2007-04-16 02:18	<DIR>	d--------	C:\Program Files\Common Files\HP
2007-04-16 02:16	<DIR>	d--------	C:\Program Files\Hewlett-Packard
2007-04-16 02:15	77,824	-ra------	C:\WINDOWS\system32\HPZIDS01.dll
2007-04-16 02:15	38,400	--a------	C:\WINDOWS\system32\hpz3l054.dll
2007-04-16 02:12	94,208	--a------	C:\WINDOWS\system32\HPZipt12.dll
2007-04-16 02:12	69,632	--a------	C:\WINDOWS\system32\HPZipm12.exe
2007-04-16 02:12	65,536	--a------	C:\WINDOWS\system32\HPZinw12.exe
2007-04-16 02:12	57,344	--a------	C:\WINDOWS\system32\HPZisn12.dll
2007-04-16 02:12	282,680	--a------	C:\WINDOWS\system32\HPZidr12.dll
2007-04-16 02:12	204,800	--a------	C:\WINDOWS\system32\HPZipr12.dll
2007-04-16 02:10	<DIR>	d--------	C:\Program Files\HP
2007-04-16 02:00	117,129	--a------	C:\WINDOWS\hpoins11.dat
2007-04-01 18:25	<DIR>	d--------	C:\Program Files\Combined Community Codec Pack


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 09:04:30	--------	d-----w	C:\DOCUME~1\NEVERB~1\APPLIC~1\uTorrent
2007-05-31 06:34:36	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-05-29 22:11:53	--------	d-----w	C:\Program Files\Serv-U
2007-05-16 06:01:04	--------	d-----w	C:\DOCUME~1\NEVERB~1\APPLIC~1\POP Peeper
2007-05-09 06:42:25	--------	d-----w	C:\Program Files\Cheat Engine
2007-05-07 22:14:40	--------	d-----w	C:\Program Files\SysReset
2007-05-07 20:50:25	--------	d-----w	C:\Program Files\Emulation
2007-05-03 20:05:58	--------	d-----w	C:\Program Files\POP Peeper
2007-04-23 04:22:15	--------	d-----w	C:\Program Files\1 to 4a Renamer [NoInstall]
2007-04-18 20:49:55	--------	d-----w	C:\Program Files\Macro Express3
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll
2007-04-05 18:56:01	6,784	----a-w	C:\WINDOWS\system32\drivers\scsk4.sys
2007-03-31 04:01:35	--------	d-----w	C:\Program Files\Microsoft Works
2007-03-23 13:07:56	1,683,280	------w	C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 13:07:54	583,504	------w	C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 03:25:02	124,928	------w	C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01	292,864	----a-w	C:\WINDOWS\system32\winsrv.dll
2007-03-15 02:19:56	95,864	----a-w	C:\WINDOWS\system32\NeroCo.dll
2007-03-08 15:36:28	577,536	----a-w	C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28	40,960	----a-w	C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28	281,600	----a-w	C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48	1,843,584	----a-w	C:\WINDOWS\system32\win32k.sys
2005-10-18 06:15:10	80	--sh--r	C:\WINDOWS\system32\7B772AC6E1.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{eef33a30-5cf7-4339-a11c-05bde745e9c2}=C:\WINDOWS\system32\arpdex.dll [2007-05-30 15:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-01-21 20:30]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"POP Peeper"="C:\Program Files\POP Peeper\POPPeeper.exe" [2006-11-15 21:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arpdex]
arpdex.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\pmnnopn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
	

Contents of the 'Scheduled Tasks' folder

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 15:42:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-31 15:47:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-31 15:47

	--- E O F ---

ComboFix-quarantined-files.txt
2007-05-30 17:55	  39262	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp24F.tmp.dll.vir
2007-05-30 18:14	  39262	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp567.tmp.dll.vir
2007-05-30 23:55	  39283	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpFD8.tmp.dll.vir
2007-05-31 00:02	  39283	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp1156.tmp.dll.vir
2007-05-31 01:57	  39120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp37.tmp.dll.vir
2007-05-31 02:24	  39120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp455.tmp.dll.vir
2007-05-31 02:24	  39120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp456.tmp.dll.vir
2007-05-31 02:35	  39283	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp5ED.tmp.dll.vir
2007-05-31 15:39	  1302	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NM.reg.cf
2007-05-31 15:39	  276	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf
2007-05-31 15:39	  7020	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Folder PATH listing
Volume serial number is 34BD-B271
C:\QOOBOX
\---Quarantine
	+---C
	|   \---WINDOWS
	|	   \---system32
	|			   tmp1156.tmp.dll.vir
	|			   tmp24F.tmp.dll.vir
	|			   tmp37.tmp.dll.vir
	|			   tmp455.tmp.dll.vir
	|			   tmp456.tmp.dll.vir
	|			   tmp567.tmp.dll.vir
	|			   tmp5ED.tmp.dll.vir
	|			   tmpFD8.tmp.dll.vir
	|			   
	\---Registry_backups
			LEGACY_NM.reg.cf
			LEGACY_NPF.reg.cf
			services_nm.reg.cf
			

Latest HijackThis.txt (Done No other scans after this)
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:44:50 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
D:\!SpyWare Rem\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.94.33.10:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {eef33a30-5cf7-4339-a11c-05bde745e9c2} - C:\WINDOWS\system32\arpdex.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} - http://download.livemath.com/activex/AXTNS.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125745758890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131501136546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1470001B-724D-4EBA-B939-294990C99E84}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: c:\windows\system32\pmnnopn.dll
O20 - Winlogon Notify: arpdex - C:\WINDOWS\SYSTEM32\arpdex.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7559 bytes

Edited by NvrBst, 31 May 2007 - 08:59 PM.


#2 NvrBst

NvrBst

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 31 May 2007 - 10:10 PM

Very Sorry :) Problem got fixed with applying the following RegKeys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arpdex]

and OTMoveIt ing the following
c:\windows\system32\pmnnopn.dll
C:\WINDOWS\SYSTEM32\arpdex.dll


Thanks :)


EDIT:
--------------Also removed HijackThis Entries--------------
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp704.tmp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {eef33a30-5cf7-4339-a11c-05bde745e9c2} - C:\WINDOWS\system32\arpdex.dll (file missing)
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\urrsss.dll",realset
O20 - AppInit_DLLs: c:\windows\system32\pmnnopn.dll
O20 - Winlogon Notify: arpdex - arpdex.dll (file missing)

--------------And OTMoveIt--------------
C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp704.tmp.exe
C:\WINDOWS\system32\tmp704.tmp.dll
C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp70F.tmp.exe
C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp706.tmp.exe
C:\WINDOWS\urrsss.dll
C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp1C0.tmp.exe
C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp26F.tmp.exe
C:\DOCUME~1\NEVERB~1\APPLIC~1\tmp26D.tmp.exe
C:\WINDOWS\khefca.dll
C:\WINDOWS\pmkkkk.dll
C:\WINDOWS\ddaxwt.dll
C:\WINDOWS\rrhtt.exe
C:\WINDOWS\urrsss.dll

And ran another ComboFix

Edited by NvrBst, 31 May 2007 - 11:46 PM.


#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 03 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button