• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
maxreturn

IE Popups and Trojan Virus when using Mozilla

11 posts in this topic

Hello. I have read the FAQ and have tried running AVG, AD-Aware and Spybot several times but I continue to get trojan viruses and annoying IE popups when using Mozilla. Whenever running Spybot it can never get rid of two things...the latest "smitfraud-c.coreservice" and "virtumond". The computer is also very sluggish and impossible to use when the popups start appearing. I have posted a Hijack this log below. GREATLY appreciate your service. Let me know if there's anything else I can provide you with. Best Regards!

 

Logfile of HijackThis v1.99.1

Scan saved at 2:49:02 PM, on 06/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\program files\internet explorer\IEXPLORE.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\S4F\filter7.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\Rhapsody\rhaphlpr.exe

C:\Documents and Settings\Chuck\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\Chuck\Local Settings\Temp\TICHD003.exe CHD003

O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\hushepim.dll",realset

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Chuck\Local Settings\Temp\TICHD003.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132420292453

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: fonts - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\help.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Then, * Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Thanks miekiemoes...following in order are: 1) combofix.txt log and 2) latest hijack this log. Thanks for all your help!:

 

ComboFix 07-06-18.2 - C:\Documents and Settings\Chuck\Desktop\ComboFix.exe

"Chuck" - 2007-06-19 20:08:39 - Service Pack 2 NTFS

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\hushepim.dll

C:\WINDOWS\system32\lnmnhdwh.dll

C:\WINDOWS\system32\ltqdesgq.dll

C:\WINDOWS\system32\tnejufcc.dll

C:\WINDOWS\system32\ultvwcdl.dll

C:\WINDOWS\system32\uoffctxu.dll

C:\WINDOWS\system32\yeooxvxy.dll

C:\WINDOWS\system32\fccawxv.dll

C:\WINDOWS\system32\qqtwa.bak1

C:\WINDOWS\system32\qqtwa.bak2

C:\WINDOWS\system32\qqtwa.ini

C:\WINDOWS\system32\qqtwa.ini2

C:\WINDOWS\system32\mipehsuh.ini

C:\WINDOWS\system32\hwdhnmnl.ini

C:\WINDOWS\system32\qgsedqtl.ini

C:\WINDOWS\system32\ccfujent.ini

C:\WINDOWS\system32\ldcwvtlu.ini

C:\WINDOWS\system32\uxtcffou.ini

C:\WINDOWS\system32\yxvxooey.ini

C:\WINDOWS\system32\qqtwa.bak1

C:\WINDOWS\system32\qqtwa.bak2

C:\WINDOWS\system32\qqtwa.ini

C:\WINDOWS\system32\qqtwa.ini2

C:\WINDOWS\system32\qqtwa.tmp

C:\WINDOWS\system32\qqtwa.bak1

C:\WINDOWS\system32\qqtwa.bak2

C:\WINDOWS\system32\qqtwa.ini

C:\WINDOWS\system32\qqtwa.ini2

C:\WINDOWS\system32\awtqq.dll

C:\WINDOWS\system32\awtrpqo.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

C:\Temp\tn3

C:\WINDOWS\b136.exe

C:\WINDOWS\system32\drivers\core.sys

C:\WINDOWS\system32\msxml3a.dll

C:\WINDOWS\wr.txt

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CORE

-------\core

 

 

((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))

 

 

2007-06-19 20:07 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-10 21:05 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor

2007-06-10 21:05 <DIR> d--hs---- C:\UWA7P

2007-06-10 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

2007-06-10 20:53 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ

2007-06-10 20:53 <DIR> d-------- C:\temp\x2b

2007-06-02 14:46 <DIR> d-------- C:\Program Files\MetaTrader 4

2007-05-28 16:17 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\MySpace

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-16 15:23:57 -------- d-----w C:\Program Files\Free Offers from Freeze.com

2007-06-16 00:43:02 -------- d-----w C:\Program Files\PeerGuardian2

2007-06-15 17:35:52 -------- d-----w C:\Program Files\DeBry

2007-06-10 20:29:59 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Azureus

2007-06-10 18:41:39 -------- d-----w C:\Program Files\Azureus

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-09 21:44:39 -------- d-----w C:\Program Files\WMA-MP3.com

2007-05-09 21:25:07 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\tunebite

2007-05-07 12:28:06 32,768 ----a-w C:\WINDOWS\lcx.exe

2007-05-01 20:29:52 -------- d-----w C:\Program Files\Rhapsody

2007-05-01 20:29:13 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys

2007-05-01 20:29:13 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Real

2007-05-01 20:27:49 -------- d-----w C:\Program Files\Audiogalaxy Rhapsody

2007-05-01 20:24:14 -------- d-----w C:\Program Files\Real

2007-05-01 05:31:09 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Media Player Classic

2007-05-01 05:29:47 -------- d-----w C:\Program Files\Common Files\Real

2007-05-01 05:29:35 -------- d-----w C:\Program Files\Ringz Studio

2007-04-29 19:22:37 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\DivX

2007-04-29 19:17:57 -------- d-----w C:\Program Files\Common Files\FDRLab

2007-04-29 19:07:57 -------- d-----w C:\Program Files\DivX

2007-04-29 17:06:04 -------- d-----w C:\Program Files\Bonjour

2007-04-29 16:49:04 -------- d-----w C:\Program Files\Common Files\Macrovision Shared

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-23 19:24:45 -------- d-----w C:\Program Files\Common Files\Autodesk Shared

2007-04-23 19:24:26 -------- d-----w C:\Program Files\AutoCAD 2007

2007-04-23 19:23:18 -------- d-----w C:\Program Files\AnswerWorks 4.0

2007-04-23 19:19:09 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Autodesk

2007-04-23 19:10:22 -------- d-----w C:\Program Files\Autodesk

2007-04-23 15:36:34 -------- d-----w C:\Program Files\PowerISO

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll

2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe

2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe

2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll

2007-03-22 00:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL

2007-03-22 00:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE

2007-03-22 00:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE

2004-06-11 11:17:01 0 -csha-w C:\WINDOWS\system32\javakd32.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll [2004-09-29 13:02]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]

{1B677FEB-272E-4450-B732-3085FDBF0B9f}=C:\WINDOWS\system32\sacwyfch.dll []

{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 14:41]

{D604AF33-3A90-471E-AB66-1CB4B012697f}=C:\WINDOWS\system32\sacwyfch.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2002-06-18 18:44 C:\WINDOWS\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2003-11-17 11:33 C:\WINDOWS\system32\nwiz.exe]

"ashMaiSv"="C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" []

"zSPGuard"="c:\program files\pjw\spguard\spguard.exe" []

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-15 21:00]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-08 15:32]

"ProfileWatcher"="C:\Program Files\ProfileWatcher\profilewatcher.exe" []

"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 08:23]

"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-25 11:10]

"{ZN}"="C:\Documents and Settings\Chuck\Local Settings\Temp\TICHD003.exe" [2007-06-10 20:59]

"Salestart"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-11-17 11:33]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-08 20:04]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"RunNarrator"=Narrator.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 16:15]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S4F]

"C:\Program Files\S4F\Filter7.exe"

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d9e6821-4731-11db-9592-000c6ecadc14}]

AutoRun\command- E:\LaunchU3.exe

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-19 20:30:30

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-19 20:33:28 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-19 20:33

 

--- E O F ---

 

Logfile of HijackThis v1.99.1

Scan saved at 8:37:39 PM, on 06/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cmd.exe

C:\program files\internet explorer\IEXPLORE.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\AIM\aim.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\S4F\filter7.exe

C:\Documents and Settings\Chuck\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1B677FEB-272E-4450-B732-3085FDBF0B9f} - C:\WINDOWS\system32\sacwyfch.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: (no name) - {D604AF33-3A90-471E-AB66-1CB4B012697f} - C:\WINDOWS\system32\sacwyfch.dll (file missing)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\Chuck\Local Settings\Temp\TICHD003.exe CHD003

O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Chuck\Local Settings\Temp\TICHD003.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132420292453

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: fonts - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\help.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Share this post


Link to post
Share on other sites

Hi,

 

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Program Files\Common Files\Microsoft Shared\MSINFO\help.exe

 

Select it and click ok:

Then click the Send File button below.

 

Then,

Open notepad and copy/paste the text in the quotebox below into it:

 

File::

C:\WINDOWS\system32\javakd32.exe

C:\Documents and Settings\Chuck\Local Settings\Temp\TICHD003.exe

C:\Documents and Settings\Chuck\Start Menu\Programs\Startup\TA_Start.lnk

C:\Program Files\Common Files\Microsoft Shared\MSINFO\help.exe

 

Folder::

C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor

C:\UWA7P

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

C:\WINDOWS\system32\T1QaSQ

C:\temp\x2b

 

Driver::

fonts

 

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D604AF33-3A90-471E-AB66-1CB4B012697f}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B677FEB-272E-4450-B732-3085FDBF0B9f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zSPGuard"=-

"ProfileWatcher"=-

"{ZN}"=-

"Salestart"=-

 

Save this as ComboFix-Do.txt

 

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

 

Combo-Do.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

Extra addition..

 

Go to next site:

http://www.virustotal.com/en/indexf.html

On top you'll find 'Browse'

Click the browse button and browse to next file:

 

C:\WINDOWS\lcx.exe

 

Click open.

Then click the 'Send' button next to it.

This will scan the file. Please be patient.

Once scanned, copy and paste the results in your next reply as well.

Share this post


Link to post
Share on other sites

Greetings miekiemoes. First is the Combofix.txt log. Second is the hijack this log. Third is the Lcx file:

 

ComboFix 07-06-18.2 - C:\Documents and Settings\Chuck\Desktop\ComboFix.exe

"Chuck" - 2007-06-20 18:45:56 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\Chuck\Desktop\Combofix-Do.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode

C:\Documents and Settings\Chuck\Start Menu\Programs\Startup\TA_Start.lnk

C:\Program Files\Common Files\Microsoft Shared\MSINFO\help.exe

C:\temp\x2b

C:\UWA7P

C:\WINDOWS\system32\javakd32.exe

C:\WINDOWS\system32\T1QaSQ

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_FONTS

-------\fonts

 

 

((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))

 

 

2007-06-19 20:07 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-02 14:46 <DIR> d-------- C:\Program Files\MetaTrader 4

2007-05-28 16:17 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\MySpace

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-20 22:16:08 69,800 ----a-w C:\DOCUME~1\Chuck\APPLIC~1\GDIPFONTCACHEV1.DAT

2007-06-16 15:23:57 -------- d-----w C:\Program Files\Free Offers from Freeze.com

2007-06-16 00:43:02 -------- d-----w C:\Program Files\PeerGuardian2

2007-06-15 17:35:52 -------- d-----w C:\Program Files\DeBry

2007-06-10 20:29:59 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Azureus

2007-06-10 18:41:39 -------- d-----w C:\Program Files\Azureus

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-09 21:44:39 -------- d-----w C:\Program Files\WMA-MP3.com

2007-05-09 21:25:07 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\tunebite

2007-05-07 12:28:06 32,768 ----a-w C:\WINDOWS\lcx.exe

2007-05-01 20:29:52 -------- d-----w C:\Program Files\Rhapsody

2007-05-01 20:29:13 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys

2007-05-01 20:29:13 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Real

2007-05-01 20:27:49 -------- d-----w C:\Program Files\Audiogalaxy Rhapsody

2007-05-01 20:24:14 -------- d-----w C:\Program Files\Real

2007-05-01 05:31:09 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Media Player Classic

2007-05-01 05:29:47 -------- d-----w C:\Program Files\Common Files\Real

2007-05-01 05:29:35 -------- d-----w C:\Program Files\Ringz Studio

2007-04-29 19:22:37 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\DivX

2007-04-29 19:17:57 -------- d-----w C:\Program Files\Common Files\FDRLab

2007-04-29 19:07:57 -------- d-----w C:\Program Files\DivX

2007-04-29 17:06:04 -------- d-----w C:\Program Files\Bonjour

2007-04-29 16:49:04 -------- d-----w C:\Program Files\Common Files\Macrovision Shared

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-23 19:24:45 -------- d-----w C:\Program Files\Common Files\Autodesk Shared

2007-04-23 19:24:26 -------- d-----w C:\Program Files\AutoCAD 2007

2007-04-23 19:23:18 -------- d-----w C:\Program Files\AnswerWorks 4.0

2007-04-23 19:19:09 -------- d-----w C:\DOCUME~1\Chuck\APPLIC~1\Autodesk

2007-04-23 19:10:22 -------- d-----w C:\Program Files\Autodesk

2007-04-23 15:36:34 -------- d-----w C:\Program Files\PowerISO

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll

2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe

2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe

2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll

2007-03-22 00:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL

2007-03-22 00:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE

2007-03-22 00:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll [2004-09-29 13:02]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]

{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 14:41]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2002-06-18 18:44 C:\WINDOWS\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2003-11-17 11:33 C:\WINDOWS\system32\nwiz.exe]

"ashMaiSv"="C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" []

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-15 21:00]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-08 15:32]

"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 08:23]

"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-25 11:10]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-11-17 11:33]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-08 20:04]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"RunNarrator"=Narrator.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 16:15]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S4F]

"C:\Program Files\S4F\Filter7.exe"

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d9e6821-4731-11db-9592-000c6ecadc14}]

AutoRun\command- E:\LaunchU3.exe

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-20 18:53:32

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-20 18:56:19 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-20 18:56

C:\ComboFix2.txt ... 2007-06-19 20:33

 

--- E O F ---

 

----------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 6:59:09 PM, on 06/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\AIM\aim.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Chuck\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132420292453

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

----------------------------------

 

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

 

 

Select file : DistributeSSL

 

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:

News Hot news in the virus/antivirus sector.

Estadisticas Statistics of VirusTotal procesing.

Virustotal More info about Virustotal.

 

 

STATUS: FINISHEDComplete scanning result of "lcx.exe", received in VirusTotal at 06.21.2007, 00:50:01 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.6.20.1 06.20.2007 Win-AppCare/PortSniffer.32768

AntiVir 7.4.0.34 06.20.2007 no virus found

Authentium 4.93.8 06.21.2007 no virus found

Avast 4.7.997.0 06.20.2007 Win32:Pepatch-P

AVG 7.5.0.467 06.20.2007 no virus found

BitDefender 7.2 06.20.2007 Spyware.Transmit.A

CAT-QuickHeal 9.00 06.20.2007 NetTool.Transmit.a (Not a Virus)

ClamAV devel-20070416 06.20.2007 Trojan.Pcclient-85

DrWeb 4.33 06.20.2007 no virus found

eSafe 7.0.15.0 06.20.2007 Suspicious Trojan/Worm

eTrust-Vet 30.8.3730 06.20.2007 no virus found

Ewido 4.0 06.20.2007 Not-A-Virus.NetTool.Win32.Transmit.a

FileAdvisor 1 06.21.2007 Not analyzed yet

Fortinet 2.91.0.0 06.20.2007 PUP

F-Prot 4.3.2.48 06.19.2007 W32/Threat-HLLIP-based!Maximus

F-Secure 6.70.13030.0 06.20.2007 no virus found

Ikarus T3.1.1.8 06.20.2007 Backdoor.Win32.EggDrop.17

Kaspersky 4.0.2.24 06.21.2007 not-a-virus:NetTool.Win32.Transmit.a

McAfee 5057 06.20.2007 potentially unwanted program Generic PUP

Microsoft 1.2607 06.20.2007 no virus found

NOD32v2 2341 06.20.2007 no virus found

Norman 5.80.02 06.20.2007 W32/Transmit.A

Panda 9.0.0.4 06.20.2007 Suspicious file

Prevx1 V2 06.21.2007 no virus found

Sophos 4.18.0 06.12.2007 Packet Transmit

Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious

Symantec 10 06.21.2007 no virus found

TheHacker 6.1.6.136 06.20.2007 Aplicacion/Transmit.a

VBA32 3.12.0.2 06.20.2007 Backdoor.Win32.Hupigon.anl

VirusBuster 4.3.23:9 06.20.2007 no virus found

Webwasher-Gateway 6.0.1 06.20.2007 Riskware.Transmit.A

 

 

Aditional Information

File size: 32768 bytes

MD5: 516c14022fe949693e53acc1c58f0f9e

SHA1: fe7e99825cb95104e5fa83d749492a97f4587566

packers: PECOMPACT

Bit9 info: http://fileadvisor.bit9.com/services/extin...e53acc1c58f0f9e

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

 

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

> Go to: Home Contactar En Español

--------------------------------------------------------------------------------

www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com

Share this post


Link to post
Share on other sites

Hi,

 

Do you know this file you uploaded at Virustotal?

 

C:\WINDOWS\lcx.exe

 

Or people install it themselves and use it - or it is being used by malware.

In case you don't know it, delete it.

 

Your logs look clean again.

 

Let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites

Hi,

 

Certainly delete the C:\WINDOWS\lcx.exe

I just had a look at the help.exe you submitted and you were dealing with a keylogger which also took printscreens from your system.

 

So I strongly recommend you change ALL your passwords!

 

Also delete the C:\Qoobox folder

Share this post


Link to post
Share on other sites

miekiemoes...thanks for all your help. I ran avg, adaware one more time then browed the net. No pop ups! Computer seems to be running faster too. Many Thanks! :D

Share this post


Link to post
Share on other sites

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here

This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0