• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Oatesy

pmcubosf

3 posts in this topic

Hi,

I have a program that keeps installing itself in the system32 directory in a folder called pmcubosf. This programs keeps popping up a security center ballon asking for me to intall various software.

 

I have tried many spyware programs but they dont detect where this routine is. I assume it links to a IP address every time I reboot or after a certain length of time.

 

So can anyone of you guys with your great expertise help me out.

 

Much appreciated.

 

Oatesy

 

Log file

 

Logfile of HijackThis v1.99.1

Scan saved at 10:43:55, on 19.06.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe

C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe

C:\Program Files\Microsoft SQL Server\Inv11\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe

C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Distillr\Acrotray.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\All Users\Application Data\evgnctuj.exe

C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\scchk32.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Citrix\ICA Client\Wfcrun32.exe

C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE

C:\Program Files\AutoCAD 2006\acad.exe

C:\DOCUME~1\oatkev\LOCALS~1\Temp\AdskCleanup.0001

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Kevin\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.kcadeutag.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://login.kcadeutag.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.kcadeutag.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {9E78F89C-E40B-4D36-AB3E-EFADD851D259} - (no file)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {DA11A8D5-84DB-4CDD-A442-71616E8D8835} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [evgnctuj.exe] C:\Documents and Settings\All Users\Application Data\evgnctuj.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

O4 - HKLM\..\Run: [sC2] C:\WINDOWS\system32\scchk32.exe

O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?cf5cb56f32cc49f8b52527e6d229960f

O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?cf5cb56f32cc49f8b52527e6d229960f

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://m-power.kcadeutag.com

O15 - Trusted Zone: http://kca.prolearn.no

O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://vpn.kcadeutag.com/net6helper.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kcadno.local

O17 - HKLM\Software\..\Telephony: DomainName = kcadno.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kcadno.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kcadno.local

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe

O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: MSSQL$AUTODESKVAULT - Unknown owner - C:\Program Files\Microsoft SQL Server\Inv11\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe" -sAUTODESKVAULT (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: SQLAgent$AUTODESKVAULT - Unknown owner - C:\Program Files\Microsoft SQL Server\Inv11\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE" -i AUTODESKVAULT (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edited by Oatesy

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

I have now fixed it using hijackthis, read the tutorial and with trial and error I got it solved

 

Oates

Edited by Oatesy

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0