Jump to content


Photo

random popups using internet explorer


  • This topic is locked This topic is locked
9 replies to this topic

#1 B3n Mann

B3n Mann

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 14 June 2007 - 10:28 AM

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:14:07 AM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live

Toolbar\msntb.dll
O4 - HKLM\..\Run: [j7261536] rundll32 C:\WINNT\system32\j7261536.dll sook
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINNT\system32\iymqrnof.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live

Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live

Toolbar\Components\en-us\msntabres.dll.mui/229?e79561b196f4dde8769de2ac541388
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live

Toolbar\Components\en-us\msntabres.dll.mui/230?e79561b196f4dde8769de2ac541388
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\DOCUME~1\Owner\Desktop\em\NEWFOL~1\aim.exe

(file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) -

http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) -

http://speedtest.ade...TESTACTIVEX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A806C19-90FC-4EE3-8AA2-F26077A3DEEB}: NameServer =

208.67.222.222,208.67.220.220
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service

(file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service

(file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

I've tried Avast!, Ad-Aware SE, Spybot S&D; Avast! found some trojans but other than that I still have these random popups. I've switched to Firefox but they still come up on IE7. I disabled all the ActiveX controls from IE7, disabled cookies, the works, but I still get the popups. What should I do?

Ben

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 17 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 03:47 PM

Hello,

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 B3n Mann

B3n Mann

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 18 June 2007 - 11:28 PM

Here's the combofix log:

ComboFix 07-06-13.7 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-18 23:54:57 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\ekhahmnv.dll
C:\WINNT\system32\lqurcgid.dll
C:\WINNT\system32\mxtunqcn.dll
C:\WINNT\system32\okayimab.dll
C:\WINNT\system32\spncixuq.dll
C:\WINNT\system32\vnmhahke.ini
C:\WINNT\system32\digcruql.ini
C:\WINNT\system32\bamiyako.ini
C:\WINNT\system32\quxicnps.ini
C:\WINNT\system32\svyay.bak1
C:\WINNT\system32\svyay.bak2

C:\WINNT\system32\svyay.ini
C:\WINNT\system32\svyay.ini2
C:\WINNT\system32\svyay.tmp
C:\WINNT\system32\svyay.bak1
C:\WINNT\system32\svyay.bak2
C:\WINNT\system32\svyay.ini
C:\WINNT\system32\svyay.ini2
C:\WINNT\system32\svyay.tmp
C:\WINNT\system32\svyay.bak1
C:\WINNT\system32\svyay.bak2
C:\WINNT\system32\svyay.ini
C:\WINNT\system32\svyay.ini2
C:\WINNT\system32\svyay.tmp
C:\WINNT\system32\yayvs.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\T7PGQCLC\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\17O7
C:\Temp\17O7\tmpTF.log
C:\WINNT\cs_cache.ini
C:\WINNT\system32\smpi1
C:\WINNT\system32\wnsxs~1
C:\WINNT\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-19 00:09 33,848 --a------ C:\WINNT\system32\drivers\sbapifs.sys
2007-06-18 23:50 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-18 10:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-18 10:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-17 23:33 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-06-17 22:33 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-06-17 14:11 0 --a------ C:\WINNT\system32\SBRC.dat
2007-06-17 14:11 0 --a------ C:\WINNT\system32\SBFC.dat
2007-06-17 14:06 15,544 --a------ C:\WINNT\system32\drivers\sbhr.sys
2007-06-17 13:58 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-17 13:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-06-17 13:43 <DIR> d-------- C:\windows
2007-06-17 13:33 172,544 --a------ C:\WINNT\system32\ewktent.dll
2007-06-17 13:33 <DIR> d-------- C:\WINNT\system32\win
2007-06-17 13:33 <DIR> d-------- C:\WINNT\system32\S7
2007-06-17 13:33 <DIR> d-------- C:\WINNT\system32\S6
2007-06-17 13:33 <DIR> d-------- C:\WINNT\system32\S4
2007-06-17 13:33 <DIR> d-------- C:\WINNT\system32\S1
2007-06-17 13:33 <DIR> d-------- C:\WINNT\system32\S0
2007-06-17 13:32 <DIR> d-------- C:\WINNT\system32\o02PrEz
2007-06-17 13:32 <DIR> d-------- C:\Temp\iee
2007-06-16 17:09 55,316 --a------ C:\WINNT\system32\bkauwtwn.dll
2007-06-16 16:57 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-06-15 20:14 <DIR> d-------- C:\Program Files\AP Tuner
2007-06-13 23:00 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2007-06-13 23:00 <DIR> d-------- C:\Program Files\DScaler5
2007-06-13 23:00 <DIR> d-------- C:\Program Files\CD Audio Reader Filter
2007-06-13 22:59 <DIR> d-------- C:\Program Files\SHOUTcast Source
2007-06-13 22:59 <DIR> d-------- C:\Program Files\RealMedia
2007-06-13 22:58 <DIR> d-------- C:\Program Files\Haali
2007-06-13 22:58 <DIR> d-------- C:\Program Files\DS-MP3 Source
2007-06-13 22:57 <DIR> d-------- C:\Program Files\Zoom Player
2007-06-13 22:57 <DIR> d-------- C:\Program Files\DirectVobSub
2007-06-13 21:44 95,872 --a------ C:\WINNT\system32\AvastSS.scr
2007-06-13 21:44 94,552 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-06-13 21:44 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-06-13 21:44 43,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-06-13 21:44 26,888 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-06-13 21:44 23,416 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-06-13 21:43 745,600 --a------ C:\WINNT\system32\aswBoot.exe
2007-06-13 21:43 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-13 19:53 62,516 --a------ C:\WINNT\system32\hrphcnel.dll
2007-06-08 22:31 55,316 --a------ C:\WINNT\system32\qcqvbgtc.dll
2007-06-07 21:28 203,096 --a------ C:\WINNT\system32\wuweb.dll
2007-06-07 21:22 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-06-07 21:13 53,080 --a------ C:\WINNT\system32\wuauclt.exe
2007-06-07 10:23 55,316 --a------ C:\WINNT\system32\pqhitiap.dll
2007-06-04 15:18 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINNT\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 14:05:28 -------- d-----w C:\Program Files\Lavasoft
2007-06-18 13:51:21 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-06-18 01:01:51 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-17 17:54:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 17:49:40 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-15 19:50:45 -------- d-----w C:\Program Files\HP
2007-06-14 02:58:17 -------- d-----w C:\Program Files\ffdshow
2007-06-14 01:46:29 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-14 01:06:08 -------- d-----w C:\Program Files\Free Audio Pack
2007-05-30 00:10:37 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\tunebite
2007-05-17 02:41:55 1,163 ----a-w C:\WINNT\mozver.dat
2007-05-17 01:55:04 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-05-13 18:05:36 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-09 07:07:21 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2007-04-10 14:46:23 29,672 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{19a6e331-442f-405c-8dbe-cae358917419}=C:\WINNT\system32\ewktent.dll [2007-06-17 13:33]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINNT\system32\hrphcnel.dll [2007-06-13 19:53]
{AF7C7BFB-55FF-489C-BB45-1CC3F8419F95}=C:\Program Files\MSN Gaming Zone\hokew58441.dll [2007-06-14 07:54]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-10-11 00:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"@"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 17:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 17:44]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 15:53 C:\WINNT\AGRSMMSG.exe]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2003-05-12 15:28]
"HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2003-09-24 14:53]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 15:28]
"LMgrPanelICON"="C:\Program Files\Launch Manager\PanelICON.exe" [2003-09-24 17:37]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2003-09-12 16:24]
"AVManager"="C:\Program Files\Wistron\AVManager\AVManager.exe" [2003-09-24 17:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"=C:\WINNT\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoljk]
nnnoljk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk.disabled
backup=C:\WINNT\pss\InterVideo WinCinema Manager.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SmartCapture.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SmartCapture.lnk.disabled
backup=C:\WINNT\pss\SmartCapture.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVManager]
"C:\Program Files\Wistron\AVManager\AVManager.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol]
C:\Program Files\Launch Manager\CtrlVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyApp]
C:\Program Files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
C:\Program Files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrPanelICON]
C:\Program Files\Launch Manager\PanelICON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
"C:\Program Files\Launch Manager\Wbutton.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WANMiniportService"=2 (0x2)
"SLPMONX"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"iPod Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\DOCUME~1\Owner\Desktop\em\NEWFOL~1\aim.exe -cnetwait.odl
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WindowsUpdate"=rundll32.exe "C:\WINNT\system32\tnikgiyn.dll",realset
"ATIModeChange"=Ati2mdxx.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroCheck"=C:\WINNT\System32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE

*Newly Created Service* - SBAPIFS

Contents of the 'Scheduled Tasks' folder
2007-06-14 22:18:04 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-19 03:38:30 C:\WINNT\tasks\Check Updates for Windows Live Toolbar.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 00:09:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-19 0:13:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 00:12

--- E O F ---





I read the HJT tutorial and went on a rampage removing stuff. Didn't seem to help.
Here's the new HJT log after a few reboots:


Logfile of HijackThis v1.99.1
Scan saved at 12:24:52 AM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Wistron\AVManager\AVManager.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINNT\system32\notepad.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19a6e331-442f-405c-8dbe-cae358917419} - C:\WINNT\system32\ewktent.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINNT\system32\hrphcnel.dll
O2 - BHO: (no name) - {AF7C7BFB-55FF-489C-BB45-1CC3F8419F95} - C:\Program Files\MSN Gaming Zone\hokew58441.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "C:\Program Files\Wistron\AVManager\AVManager.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A806C19-90FC-4EE3-8AA2-F26077A3DEEB}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: nnnoljk - nnnoljk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe



I had word wrap off before and it's off now... I'm not sure why it's wrapping. As you can see, I installed many anti-virus and anti-malware programs but they dont seem to be fixing the problem.

That Winlogon Notify thing is really annoying, tried to remove it but it keeps coming back.

Thanks for helping.

[EDIT: actually, combofix may have fixed my problem! I don't seem to be getting random popups anymore. Anything still look suspicious in those logs?]

Edited by B3n Mann, 18 June 2007 - 11:54 PM.


#5 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 19 June 2007 - 12:10 AM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\bkauwtwn.dll
C:\WINNT\system32\hrphcnel.dll
C:\WINNT\system32\qcqvbgtc.dll
C:\WINNT\system32\pqhitiap.dll
C:\WINNT\system32\ewktent.dll
C:\Program Files\MSN Gaming Zone\hokew58441.dll

Folder::
C:\WINNT\system32\win
C:\WINNT\system32\S7
C:\WINNT\system32\S6
C:\WINNT\system32\S4
C:\WINNT\system32\S1
C:\WINNT\system32\S0
C:\WINNT\system32\o02PrEz
C:\Temp\iee

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19a6e331-442f-405c-8dbe-cae358917419}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7C7BFB-55FF-489C-BB45-1CC3F8419F95}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoljk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WindowsUpdate"=-


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 B3n Mann

B3n Mann

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 19 June 2007 - 01:07 AM

Combofix log:

ComboFix 07-06-13.7 - C:\Documents and Settings\Owner\Desktop\HJT\ComboFix.exe
"Owner" - 2007-06-19 1:51:07 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Owner\Desktop\HJT\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\iee
C:\Temp\iee\tmpZTF.log
C:\WINNT\system32\bkauwtwn.dll
C:\WINNT\system32\o02PrEz
C:\WINNT\system32\o02PrEz\o02PrEz1065.exe
C:\WINNT\system32\pqhitiap.dll
C:\WINNT\system32\qcqvbgtc.dll
C:\WINNT\system32\S0
C:\WINNT\system32\S0\cogyaga58441.exe
C:\WINNT\system32\S1
C:\WINNT\system32\S4
C:\WINNT\system32\S4\wen2.exe
C:\WINNT\system32\S6
C:\WINNT\system32\S7
C:\WINNT\system32\win


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-18 23:50 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-17 23:33 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-06-17 22:33 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-06-17 14:11 0 --a------ C:\WINNT\system32\SBRC.dat
2007-06-17 14:11 0 --a------ C:\WINNT\system32\SBFC.dat
2007-06-17 14:06 15,544 --a------ C:\WINNT\system32\drivers\sbhr.sys
2007-06-17 13:58 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-17 13:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-06-17 13:43 <DIR> d-------- C:\windows
2007-06-16 16:57 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-06-15 20:14 <DIR> d-------- C:\Program Files\AP Tuner
2007-06-13 23:00 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2007-06-13 23:00 <DIR> d-------- C:\Program Files\DScaler5
2007-06-13 23:00 <DIR> d-------- C:\Program Files\CD Audio Reader Filter
2007-06-13 22:59 <DIR> d-------- C:\Program Files\SHOUTcast Source
2007-06-13 22:59 <DIR> d-------- C:\Program Files\RealMedia
2007-06-13 22:58 <DIR> d-------- C:\Program Files\Haali
2007-06-13 22:58 <DIR> d-------- C:\Program Files\DS-MP3 Source
2007-06-13 22:57 <DIR> d-------- C:\Program Files\Zoom Player
2007-06-13 22:57 <DIR> d-------- C:\Program Files\DirectVobSub
2007-06-13 21:44 95,872 --a------ C:\WINNT\system32\AvastSS.scr
2007-06-13 21:44 94,552 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-06-13 21:44 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-06-13 21:44 43,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-06-13 21:44 26,888 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-06-13 21:44 23,416 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-06-13 21:43 745,600 --a------ C:\WINNT\system32\aswBoot.exe
2007-06-13 21:43 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-07 21:28 203,096 --a------ C:\WINNT\system32\wuweb.dll
2007-06-07 21:22 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-06-07 21:13 53,080 --a------ C:\WINNT\system32\wuauclt.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 04:50:27 -------- d-----w C:\Program Files\Lavasoft
2007-06-19 04:46:08 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-18 13:51:21 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-06-17 17:54:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 17:49:40 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-15 19:50:45 -------- d-----w C:\Program Files\HP
2007-06-14 02:58:17 -------- d-----w C:\Program Files\ffdshow
2007-06-14 01:46:29 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-14 01:06:08 -------- d-----w C:\Program Files\Free Audio Pack
2007-05-30 00:10:37 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\tunebite
2007-05-17 02:41:55 1,163 ----a-w C:\WINNT\mozver.dat
2007-05-17 01:55:04 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-05-13 18:05:36 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-09 07:07:21 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-10 14:46:23 29,672 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-10-11 00:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"@"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 17:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 17:44]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 15:53 C:\WINNT\AGRSMMSG.exe]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2003-05-12 15:28]
"HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2003-09-24 14:53]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 15:28]
"LMgrPanelICON"="C:\Program Files\Launch Manager\PanelICON.exe" [2003-09-24 17:37]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2003-09-12 16:24]
"AVManager"="C:\Program Files\Wistron\AVManager\AVManager.exe" [2003-09-24 17:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk.disabled
backup=C:\WINNT\pss\InterVideo WinCinema Manager.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SmartCapture.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SmartCapture.lnk.disabled
backup=C:\WINNT\pss\SmartCapture.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVManager]
"C:\Program Files\Wistron\AVManager\AVManager.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol]
C:\Program Files\Launch Manager\CtrlVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyApp]
C:\Program Files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
C:\Program Files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrPanelICON]
C:\Program Files\Launch Manager\PanelICON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
"C:\Program Files\Launch Manager\Wbutton.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WANMiniportService"=2 (0x2)
"SLPMONX"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"iPod Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\DOCUME~1\Owner\Desktop\em\NEWFOL~1\aim.exe -cnetwait.odl
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIModeChange"=Ati2mdxx.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroCheck"=C:\WINNT\System32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE

*Newly Created Service* - SBAPIFS

Contents of the 'Scheduled Tasks' folder
2007-06-14 22:18:04 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-19 05:38:31 C:\WINNT\tasks\Check Updates for Windows Live Toolbar.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 01:55:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-19 1:57:05
C:\ComboFix-quarantined-files.txt ... 2007-06-19 01:56
C:\ComboFix2.txt ... 2007-06-19 00:13

--- E O F ---


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:05:01 AM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Wistron\AVManager\AVManager.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "C:\Program Files\Wistron\AVManager\AVManager.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A806C19-90FC-4EE3-8AA2-F26077A3DEEB}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe



On a side note: when I tried to use TrendMicro's housecall a few days ago, it froze in the middle of fixing the problems it found. Not sure if that matters.

#7 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 19 June 2007 - 06:06 AM

Hi,

That went well.

Delete next folder: C:\Qoobox

On a side note: when I tried to use TrendMicro's housecall a few days ago, it froze in the middle of fixing the problems it found. Not sure if that matters.

When I scan with Trendmicro's online scanner, while scanning, the applet just closes or freezes as well. A lot of people were having that issue. In your case, it could be the same, or also because when it tried to delete a file, it was in use and couldn't get deleted, which caused a crash.

Anyway, your logs look clean again. How are things now? Popups gone?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 B3n Mann

B3n Mann

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 19 June 2007 - 08:31 AM

Things seem to be back to normal. Thanks so much!

#9 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 19 June 2007 - 09:27 AM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 June 2007 - 02:57 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button