• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Rob2142

Possibly more than one Spyware infections!!!

10 posts in this topic

:alarm: Ok so it started about 3 days ago. I hooked my computer to the internet for the first time and i played some Counter Strike Source for one night. The day after is when everything started going wrong. The program for Couter Strike Source (known as Steam) was not working. My computer was slowing down, So i scanned with Ad-Aware. I found 4 infections know as Adware.BHO(generic) and removed them...not for long as they returned and wont delete. then my Norton firewall kept asking me to block a program called MLLJJ.EXE from accesing the Internet. I blocked it because I had no idea what it was. then Mozilla Firefox stopped working, saying it was "unable to connect toe the server" or something, yet other programs like Xfire (a online chatting program similar to AIM) were working fine. I restarted my Computer thinking it would fix the problem. I was wrong. When I turned my computer back on, a procces called WMRAM.EXE was"multiplying" itself at least 20 times, slowing my Computer even more. the MLLJJ.EXE again tried to acces the internet, but i had pulled the plug on it. another program tried to accses the internet as well, but i forgot its name. I turned my PC off again and rebooted. This time, and occasionally when i boot up my comp, a window pops up saying that the MLLJJ.EXE cant run and it wants to send some error report to Microsoft. I hit dont send and ignore it. Another thing that happens is that some symbol in the bottom right hand corner of the screen says my computer is infected. Knowing from a previous eperience not to trust that i just close it. I have installed Zone Alarm, but was only able to do it in Safe mode. AVG will not install ecasue it apparently has a "acces denied" error, even though i am the only person who uses the CPU and there are no other profiles or logs on it. I fear that this MLLJJ.EXE virus/trojan is hacking my CPU as twice now it has tried to start Firefox and open to the site Scan.Malwarecrush.com. I dont trust it at all. My CPU is not connected to internet and Zone Alarm cannot be activated in a normal or safe boot mode. I have a logfile scanned by Hijackthis! and will post it if it helps.

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 12:16:41 AM, on 1/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

K:\HiJackThis_v2.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljj.exe

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - (no file)

O2 - BHO: (no name) - {8A52E811-F038-461A-9337-FD7D6BA3934C} - C:\WINDOWS\system32\mlljj.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: InternetHelper.CInternetHelper - {D9CEE89F-CC54-4337-A283-7035335B42E6} - C:\WINDOWS\system32\winifo.dll

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\jkkkklk.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [GeelixHUDDesktop] C:\Program Files\Geelix.4.0.0.0\GeelixHUDDesktop.exe -startup

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvkib.dll,startup

O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [wininfo] C:\WINDOWS\system32\wmram.exe

O4 - HKCU\..\Run: [WindowBlinds] C:\Documents and Settings\All Users\Documents\Stardock\WindowBlinds\WBInstall32.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [steam] "C:\SteamBuster\Resources\Emulator\hCUPa\Steam.exe" -silent

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL

O20 - Winlogon Notify: jkkkklk - C:\WINDOWS\SYSTEM32\jkkkklk.dll

O20 - Winlogon Notify: tuvsqnk - tuvsqnk.dll (file missing)

O20 - Winlogon Notify: winnsy32 - C:\WINDOWS\SYSTEM32\winnsy32.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

--

End of file - 9371 bytes

 

 

 

 

Please help me get rid of this problem. It is very annoying and i am starting to lose my temper at times :techsupport::rant:

 

All Help is appreciated Thankyou.

 

-Rob2142

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

1. Download this file -

ComboFix

2. Double click ComboFix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply

 

Note:

Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

 

jedi

Share this post


Link to post
Share on other sites

Ok here is the logfile for Combofix as you requested.

 

ComboFix 08-01-23.1C - Bobby 2008-01-27 10:02:47.1 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.528 [GMT -6:00]

Running from: K:\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\hp\KBD\KBD .EXE

C:\Program Files\ATI Multimedia\main\ATIDtct .EXE

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\ATI Multimedia\main\launchpd .exe

C:\Program Files\ATI Multimedia\main\launchpd.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM .exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli .exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc .exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp .exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Helper

C:\Program Files\Helper\Helper9.dll

c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06 .exe

c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper .exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Logitech\iTouch\iTouch .exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\lsass.exe

C:\Program Files\Messenger\msmsgs .exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

c:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe

c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\outerinfo

C:\Program Files\outerinfo\OinFP.exe

C:\Program Files\outerinfo\OiUninstaller.exe

C:\Program Files\outerinfo\outerinfo.ico

C:\Program Files\PowerISO\PWRISOVM .EXE

C:\Program Files\QuickTime\qttask .exe

C:\Program Files\QuickTime\qttask .exe

C:\Program Files\QuickTime\qttask .exe

C:\Program Files\QuickTime\qttask .exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\setup.exe

C:\SteamBuster\Resources\Emulator\hCUPa\steam .exe

C:\WINDOWS\SMINST\RECGUARD .EXE

C:\WINDOWS\system32\AutoRun.inf

C:\WINDOWS\system32\ctfmon .exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\grecorder.dll

C:\WINDOWS\system32\igfxtray .exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\jjllm.ini

C:\WINDOWS\system32\jjllm.ini2

C:\WINDOWS\system32\jkkkklk.dll

C:\WINDOWS\system32\mlljj.dll

C:\WINDOWS\system32\mlljj.exe

C:\WINDOWS\system32\RCX59.tmp

C:\WINDOWS\system32\wmram .exe

C:\WINDOWS\system32\wmram.exe

H:\Autorun.inf

 

 <pre>
C:\WINDOWS\system32\wmram .exe ---> QooBox
</pre>

.

.

((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))

.

 

2008-01-27 10:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe

2008-01-26 17:14 . 2008-01-26 17:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-26 17:14 . 2008-01-26 17:14 1,409 --a------ C:\WINDOWS\QTFont.for

2008-01-26 16:52 . 2008-01-26 16:52 <DIR> d-------- C:\Program Files\Apple Software Update

2008-01-26 16:51 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

2008-01-26 16:49 . 2008-01-26 16:49 <DIR> d-------- C:\Program Files\Common Files\Apple

2008-01-26 15:36 . 2008-01-26 15:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2008-01-22 10:46 . 2008-01-22 12:39 <DIR> d----c--- C:\VundoFix Backups

2008-01-21 20:56 . 2008-01-26 17:21 241,696 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-21 20:56 . 2008-01-22 12:41 2,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-21 20:52 . 2008-01-21 20:52 <DIR> d-------- C:\Program Files\ZoneAlarmSB

2008-01-21 20:48 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe

2008-01-21 20:48 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

2008-01-21 20:48 . 2008-01-21 20:52 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2008-01-21 20:46 . 2008-01-21 20:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs

2008-01-21 20:46 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll

2008-01-21 20:46 . 2008-01-27 10:17 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml

2008-01-21 20:45 . 2008-01-27 10:18 <DIR> d-------- C:\WINDOWS\Internet Logs

2008-01-21 18:56 . 2008-01-21 18:56 338,432 --a------ C:\WINDOWS\system32\RCX99A3.tmp

2008-01-21 03:00 . 2008-01-21 18:47 <DIR> d-------- C:\WINDOWS\$hf_mig$

2008-01-20 13:07 . 2008-01-20 13:07 338,432 --a------ C:\WINDOWS\system32\RCX94A4.tmp

2008-01-20 10:28 . 2008-01-21 21:39 667,648 --a------ C:\WINDOWS\system32\hphmon06 .exe

2008-01-20 10:28 . 2008-01-21 21:39 59,392 --a------ C:\WINDOWS\system\hpsysdrv .exe

2008-01-20 08:19 . 2008-01-20 08:19 45 --a--c--- C:\TEST.XML

2008-01-20 08:17 . 2008-01-21 22:04 178 --a------ C:\WINDOWS\system\hpsysdrv .DAT

2008-01-20 02:37 . 2008-01-20 02:37 105,472 --a------ C:\WINDOWS\system32\drvwat.dll

2008-01-20 02:37 . 2008-01-20 02:37 103,936 --a------ C:\WINDOWS\system32\drvkib.dll

2008-01-20 01:45 . 2008-01-20 01:46 <DIR> d-------- C:\Program Files\Xfire

2008-01-20 01:35 . 2008-01-20 01:35 <DIR> d-------- C:\Program Files\SystemRequirementsLab

2008-01-19 18:24 . 2008-01-19 18:24 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2008-01-19 18:24 . 2008-01-19 18:24 <DIR> d-------- C:\Program Files\Reference Assemblies

2008-01-19 18:23 . 2006-06-29 15:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2008-01-19 18:22 . 2006-10-16 18:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

2008-01-19 18:18 . 2008-01-19 18:18 1,158 --a------ C:\WINDOWS\mozver.dat

2008-01-16 20:16 . 2004-08-12 07:59 521,216 --a------ C:\WINDOWS\system32\logonui.exe

2008-01-16 19:48 . 2008-01-16 23:13 <DIR> d-------- C:\Program Files\OneStepSearch

2008-01-16 19:45 . 2008-01-16 19:45 129,536 --a------ C:\WINDOWS\system32\IJL15.dll

2008-01-16 19:44 . 2005-03-22 04:26 3,661,508 --a------ C:\WINDOWS\system32\BreastWomen.scr

2008-01-16 19:44 . 2008-01-16 19:44 640,957 --a------ C:\WINDOWS\unins000.exe

2008-01-16 19:44 . 2008-01-16 19:44 822 --a------ C:\WINDOWS\unins000.dat

2008-01-16 19:41 . 2008-01-16 19:41 <DIR> d-------- C:\Program Files\Active Dancer Strip Saver

2008-01-16 19:39 . 2008-01-16 19:39 <DIR> d-------- C:\Program Files\Stardock

2008-01-16 19:39 . 2007-07-11 16:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll

2008-01-16 16:38 . 2008-01-16 16:38 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-01-15 22:24 . 2007-04-27 18:03 211 --ahsc--- C:\BOOT.BKK

2008-01-15 22:20 . 2008-01-15 22:20 <DIR> d-------- C:\Program Files\TGTSoft

2007-12-31 11:44 . 2007-12-31 11:44 <DIR> d-------- C:\Program Files\GameSpy Arcade

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-27 16:11 --------- d-----w C:\Program Files\QuickTime

2008-01-27 16:11 --------- d-----w C:\Program Files\PowerISO

2008-01-27 16:11 --------- d-----w C:\Program Files\iTunes

2008-01-27 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-01-26 23:12 --------- d-----w C:\Program Files\iPod

2008-01-20 20:26 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys

2008-01-20 00:29 --------- d-----w C:\Program Files\MSBuild

2008-01-12 07:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-12-31 01:50 --------- d-----w C:\Program Files\Microsoft Games

2007-12-31 01:44 --------- d-----w C:\Program Files\EA GAMES

2007-12-31 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-31 01:41 --------- d-----w C:\Program Files\LucasArts

2007-12-26 18:09 --------- d-----w C:\Program Files\ZD Soft

2007-12-23 17:41 --------- d-----w C:\Program Files\Notation

2007-12-03 00:06 --------- d-----w C:\Program Files\Lavasoft

2007-12-02 23:23 --------- d-----w C:\Program Files\Sierra Entertainment

.

<pre>
----a-w			59,392 2008-01-22 03:39:22  C:\WINDOWS\system\hpsysdrv .exe
----a-w		   667,648 2008-01-22 03:39:24  C:\WINDOWS\system32\hphmon06 .exe
</pre>

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]

2007-03-02 18:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]

2007-03-02 18:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9CEE89F-CC54-4337-A283-7035335B42E6}]

2004-10-07 14:30 45056 ----s---- C:\WINDOWS\system32\winifo.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

2008-01-21 20:52 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}

{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

 

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [ ]

"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [ ]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

"WindowBlinds"="C:\Documents and Settings\All Users\Documents\Stardock\WindowBlinds\WBInstall32.exe" [ ]

"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ]

"Steam"="C:\SteamBuster\Resources\Emulator\hCUPa\Steam.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]

"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [ ]

"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [ ]

"KBD"="C:\HP\KBD\KBD.EXE" [ ]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]

"VTTimer"="VTTimer.exe" []

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

"AlcxMonitor"="ALCXMNTR.EXE" []

"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [ ]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]

"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [ ]

"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [ ]

"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 26624 C:\WINDOWS\LOGI_MWX.EXE]

"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]

"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [ ]

"GeelixHUDDesktop"="C:\Program Files\Geelix.4.0.0.0\GeelixHUDDesktop.exe" [ ]

"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [ ]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]

"MSDrive"="C:\WINDOWS\system32\drvkib.dll" [2008-01-20 02:37 103936]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]

 

C:\Documents and Settings\Bobby\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 23:26:24 210520]

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-29 14:38:57 176128]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqnk]

tuvsqnk.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-14 09:04 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=wbsys.dll

 

R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 03:50]

S3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]

\Shell\AutoRun\command - O:\LaunchU3.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b10c60aa-fc35-11db-a503-00112fd6ef99}]

\Shell\AutoRun\command - O:\LaunchU3.exe

 

.

Contents of the 'Scheduled Tasks' folder

"2007-04-29 23:22:05 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-27 10:35:18

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]

-> C:\WINDOWS\system32\drvkib.dll

.

Completion time: 2008-01-27 10:41:53 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-27 16:41:49

.

2008-01-22 17:55:40 --- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

 

File::

 

RENV::

C:\WINDOWS\system32\wmram .exe

C:\WINDOWS\system\hpsysdrv .exe

C:\WINDOWS\system32\hphmon06 .exe

C:\WINDOWS\system32\drvwat.dll

C:\WINDOWS\system32\drvkib.dll

C:\WINDOWS\system32\winifo.dll

Folder::

C:\Program Files\OneStepSearch

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9CEE89F-CC54-4337-A283-7035335B42E6}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqnk]

 

Save this as CFScript

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

 

Next:

 

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-secure.com/enu/home/ols.shtml

 

Scroll to the bottom of the page, and click Start Scan.

 

When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically.

 

Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished, the "cleaning" screen will be displayed.

 

Choose Automatic cleaning (recommended).After cleaning has finished, then the Finish screen will be displayed.

 

Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text.

 

Then copy and paste that information into this thread. You may need two posts to fit it in.

 

jedi

Share this post


Link to post
Share on other sites

I hope they're good, as you have a file infector, and I haven't finished removing it. Anyhow, your choice.

Share this post


Link to post
Share on other sites

Since the issue appears to be resolved this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0