Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

IE keeps opening w ADS and more <HiJAcjThis log included>

Thread Solved

•

Join Date: Jan 2008

Posts: 7

Reputation: Gunther Forster is an unknown quantity at this point

Solved Threads: 0

Gunther Forster Gunther Forster is offline

Offline

Newbie Poster

IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 3rd, 2008

Help me please!

IExlorer keeps popping open with numerous ad sites even when I open FireFox.
Installed numerous spyware/adware scanners without success.

HiJAckTHis log here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:50 PM, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=011308 serial=DR12WCB-8159340-QBN lang=EN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [copy real junk the] C:\Documents and Settings\All Users\Application Data\Name beep copy real\Download license.exe
O4 - HKLM\..\Run: [bhbsdrx] C:\Program Files\Common Files\System\tnmgncd.exe
O4 - HKLM\..\Run: [htocusa] C:\Program Files\Common Files\Microsoft Shared\pxpfern.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wipe hole] C:\DOCUME~1\admin\APPLIC~1\ITCHME~1\PokeLicense.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1185293502350
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6483 bytes

THanks in advance for any help.

•

Join Date: Jul 2007

Posts: 127

Reputation: MoralTerror is an unknown quantity at this point

Solved Threads: 10

MoralTerror MoralTerror is offline

Offline

Junior Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 4th, 2008

Hi Gunther Forster welcome to DaniWeb

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

•

Join Date: Jan 2008

Posts: 7

Reputation: Gunther Forster is an unknown quantity at this point

Solved Threads: 0

Gunther Forster Gunther Forster is offline

Offline

Newbie Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 4th, 2008

Thanks. Here is the c:ComboFix.txt: (the Hijackthis text follows the combofix below)

ComboFix 08-01-04.1 - admin 2008-01-04 11:09:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix(2).exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 11:09 . 2008-01-04 11:09 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-04 11:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 07:04 . 2008-01-04 07:04 <DIR> d-------- C:\Program Files\Itch meta
2008-01-03 21:02 . 2008-01-03 21:44 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-12-30 17:01 . 2007-12-30 17:01 <DIR> d-------- C:\System32
2007-12-29 17:09 . 2007-12-29 17:09 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Program Files\COMODO
2007-12-29 16:58 . 2007-12-29 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Comodo
2007-12-29 16:58 . 2007-12-29 16:58 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-29 16:58 . 2007-12-29 16:58 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-29 16:58 . 2007-12-29 16:58 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-29 16:05 . 2007-12-29 16:05 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-27 12:22 . 2006-02-28 08:00 42,496 --a------ C:\WINDOWS\system32\sexit.dat
2007-12-24 14:10 . 2007-12-24 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-23 16:57 . 2007-12-29 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 16:48 . 2007-12-23 20:31 <DIR> d-------- C:\Program Files\Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 15:11 --------- d-----w C:\Documents and Settings\admin\Application Data\Skype
2008-01-04 11:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Name beep copy real
2008-01-04 11:05 --------- d-----w C:\Documents and Settings\admin\Application Data\Itch meta
2008-01-04 01:47 --------- d-----w C:\Documents and Settings\admin\Application Data\WTablet
2007-12-27 15:42 169 --sh--w C:\Program Files\bhbsdrx.inf
2007-11-27 21:32 --------- d-----w C:\Documents and Settings\admin\Application Data\Sunbelt Software
2007-11-27 19:01 --------- d-----w C:\Documents and Settings\admin\Application Data\Corel
2007-11-27 16:19 --------- d-----w C:\Program Files\Corel
2007-11-27 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-11-27 16:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 16:13 20,640 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-27 16:13 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-27 16:13 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-27 15:58 --------- d-----w C:\Program Files\Tablet
2007-11-23 21:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 21:26 --------- d-----w C:\Documents and Settings\admin\Application Data\Azureus
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-06 01:28 --------- d-----w C:\Program Files\iTunes
2007-11-06 01:28 --------- d-----w C:\Program Files\iPod
2007-11-06 01:27 --------- d-----w C:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 21:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"wipe hole"="C:\DOCUME~1\admin\APPLIC~1\ITCHME~1\PokeLicense.exe" [2008-01-04 07:04 408576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 12:39 729088]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]
"bhbsdrx"="C:\Program Files\Common Files\System\tnmgncd.exe" [ ]
"htocusa"="C:\Program Files\Common Files\Microsoft Shared\pxpfern.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\guard32.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-29 16:58]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-29 16:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{426ccd3c-1e07-11d7-8a3a-000272607886}]
\Shell\AutoRun\command - E:\htocusa.exe
\Shell\explore\Command - E:\htocusa.exe
\Shell\open\Command - E:\htocusa.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 15:00:01 C:\WINDOWS\Tasks\AE46DC13907D59F7.job"
- c:\docume~1\admin\applic~1\itchme~1\Bone Style Heck.exe
"2008-01-02 13:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-16 21:34:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1189957101.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 11:11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-04 11:12:01
.
2007-12-22 07:00:56 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:45 AM, on 04/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=011308 serial=DR12WCB-8159340-QBN lang=EN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [bhbsdrx] C:\Program Files\Common Files\System\tnmgncd.exe
O4 - HKLM\..\Run: [htocusa] C:\Program Files\Common Files\Microsoft Shared\pxpfern.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wipe hole] C:\DOCUME~1\admin\APPLIC~1\ITCHME~1\PokeLicense.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1185293502350
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6141 bytes

Thanks for nay help available.

•

Join Date: Jul 2007

Posts: 127

Reputation: MoralTerror is an unknown quantity at this point

Solved Threads: 10

MoralTerror MoralTerror is offline

Offline

Junior Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 4th, 2008

Hi Gunther

Can you tell me why you have this folder C:\System32
DON'T do anything with it just yet.

----------------------------------------------

Download SafeBootKeyRepair.exe by sUBs and save it to your desktop.

Double-click SafeBootKeyRepair.exe to run it. Follow any prompts that may appear then post the log it produces.

----------------------------------------------

If E:\ is a flash disk or external drive please make sure it is attached before running combofix.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

•

File::
C:\Program Files\bhbsdrx.inf
C:\WINDOWS\Tasks\AE46DC13907D59F7.job
E:\htocusa.exe
Folder::
C:\Documents and Settings\All Users\Application Data\Name beep copy real
C:\Documents and Settings\admin\Application Data\Itch meta
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wipe hole"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bhbsdrx"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"htocusa"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{426ccd3c-1e07-11d7-8a3a-000272607886}]
DirLook::
C:\System32

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

•

Join Date: Jan 2008

Posts: 7

Reputation: Gunther Forster is an unknown quantity at this point

Solved Threads: 0

Gunther Forster Gunther Forster is offline

Offline

Newbie Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 4th, 2008

Thanks again.

Firstly, I have no idea what this system32 thing is?

As for your instructions, I followed them as instructed:

I ran the safeboot repair without incident but lost the log files when the next stage - combofix ran -sorry!

The combofix script ran well and produced the log below:

ComboFix 08-01-04.1 - admin 2008-01-04 13:56:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\bhbsdrx.inf
C:\WINDOWS\Tasks\AE46DC13907D59F7.job
E:\htocusa.exe
.
The following files were disabled during the run:
C:\Program Files\NoAdware5.0\nutils.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\Application Data\Itch meta
C:\Documents and Settings\admin\Application Data\Itch meta\0
C:\Documents and Settings\admin\Application Data\Itch meta\Bone Style Heck.exe
C:\Documents and Settings\admin\Application Data\Itch meta\ezilwgpi.exe
C:\Documents and Settings\admin\Application Data\Itch meta\PokeLicense.exe
C:\Documents and Settings\admin\Application Data\Itch meta\vhnytdue.exe
C:\Documents and Settings\All Users\Application Data\Name beep copy real\Bib Log.exe
C:\Program Files\bhbsdrx.inf
C:\WINDOWS\Tasks\AE46DC13907D59F7.job
C:\Documents and Settings\All Users\Application Data\Name beep copy real

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 11:09 . 2008-01-04 11:09 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-04 11:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 07:04 . 2008-01-04 07:04 <DIR> d-------- C:\Program Files\Itch meta
2008-01-03 21:02 . 2008-01-04 13:59 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-12-30 17:01 . 2007-12-30 17:01 <DIR> d-------- C:\System32
2007-12-29 17:09 . 2007-12-29 17:09 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Program Files\COMODO
2007-12-29 16:58 . 2007-12-29 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Comodo
2007-12-29 16:58 . 2007-12-29 16:58 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2007-12-29 16:58 . 2007-12-29 16:58 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-29 16:58 . 2007-12-29 16:58 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-29 16:05 . 2007-12-29 16:05 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-27 12:22 . 2006-02-28 08:00 42,496 --a------ C:\WINDOWS\system32\sexit.dat
2007-12-24 14:10 . 2007-12-24 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-23 16:57 . 2007-12-29 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 16:48 . 2007-12-23 20:31 <DIR> d-------- C:\Program Files\Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 17:59 --------- d-----w C:\Documents and Settings\admin\Application Data\WTablet
2008-01-04 17:56 --------- d-----w C:\Documents and Settings\admin\Application Data\Skype
2007-11-27 21:32 --------- d-----w C:\Documents and Settings\admin\Application Data\Sunbelt Software
2007-11-27 19:01 --------- d-----w C:\Documents and Settings\admin\Application Data\Corel
2007-11-27 16:19 --------- d-----w C:\Program Files\Corel
2007-11-27 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-11-27 16:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 16:13 20,640 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-27 15:58 --------- d-----w C:\Program Files\Tablet
2007-11-23 21:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 21:26 --------- d-----w C:\Documents and Settings\admin\Application Data\Azureus
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-06 01:28 --------- d-----w C:\Program Files\iTunes
2007-11-06 01:28 --------- d-----w C:\Program Files\iPod
2007-11-06 01:27 --------- d-----w C:\Program Files\QuickTime
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\System32 ----

2007-12-30 17:01 130 --a------ C:\System32\Tablet.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 12:39 729088]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-29 16:58]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-29 16:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 13:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-16 21:34:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1189957101.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 14:00:28
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-04 14:02:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 18:02:19
ComboFix2.txt 2008-01-04 15:12:02
.
2007-12-22 07:00:56 --- E O F ---

Thanks again,

Gunther

•

Join Date: Jul 2007

Posts: 127

Reputation: MoralTerror is an unknown quantity at this point

Solved Threads: 10

MoralTerror MoralTerror is offline

Offline

Junior Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 4th, 2008

OK Gunther

I want you to continue running the fixes in normal mode but check to see if you can boot to safe mode (tapping F8 at boot until menu appears) and logon?

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

•

File::
C:\WINDOWS\system32\sexit.dat
Folder::
C:\Program Files\Itch meta

Save this as CFScript.txt, in the same location as ComboFix.exe

Drag it onto ComboFix.exe same as before and post the resulting c:\combofix.txt

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
-------------------------------
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

-------------------------------
Post a new HijackThis log along with the kaspersky report and combofix.txt. How is the computer behaving now?

•

Join Date: Jan 2008

Posts: 7

Reputation: Gunther Forster is an unknown quantity at this point

Solved Threads: 0

Gunther Forster Gunther Forster is offline

Offline

Newbie Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 4th, 2008

Hi:

Thanks again. The computer is running so much better and no IE opens to this point!! And now I can get safemode to work. Thanks.

I did the new cf script and the log is below. But when I went to the Kaspersky link I couldn't access the online scanner with either IE or Firefox. I searched for the online scanner within the site but only the single file scanner seems to be working. - http://www.kaspersky.com/scanforvirus

The CF log:

ComboFix 08-01-04.1 - admin 2008-01-04 18:45:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.218 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\sexit.dat
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Itch meta
C:\WINDOWS\system32\sexit.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 14:02 . 2008-01-04 14:02 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-04 14:02 . 2006-04-18 03:17 14,054 --------- C:\WINDOWS\_000001_.tmp.dll
2008-01-04 11:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 21:02 . 2008-01-04 14:02 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-12-30 17:01 . 2007-12-30 17:01 <DIR> d-------- C:\System32
2007-12-29 17:09 . 2007-12-29 17:09 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Program Files\COMODO
2007-12-29 16:58 . 2007-12-29 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Comodo
2007-12-29 16:58 . 2007-12-29 16:58 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-29 16:58 . 2007-12-29 16:58 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-29 16:58 . 2007-12-29 16:58 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-29 16:05 . 2007-12-29 16:05 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-24 14:10 . 2007-12-24 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-23 16:57 . 2007-12-29 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 16:48 . 2007-12-23 20:31 <DIR> d-------- C:\Program Files\Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 22:48 --------- d-----w C:\Documents and Settings\admin\Application Data\Skype
2008-01-04 17:59 --------- d-----w C:\Documents and Settings\admin\Application Data\WTablet
2007-11-27 21:32 --------- d-----w C:\Documents and Settings\admin\Application Data\Sunbelt Software
2007-11-27 19:01 --------- d-----w C:\Documents and Settings\admin\Application Data\Corel
2007-11-27 16:19 --------- d-----w C:\Program Files\Corel
2007-11-27 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-11-27 16:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 16:13 20,640 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-27 16:13 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-27 16:13 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-27 15:58 --------- d-----w C:\Program Files\Tablet
2007-11-23 21:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 21:26 --------- d-----w C:\Documents and Settings\admin\Application Data\Azureus
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-06 01:28 --------- d-----w C:\Program Files\iTunes
2007-11-06 01:28 --------- d-----w C:\Program Files\iPod
2007-11-06 01:27 --------- d-----w C:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 21:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-04_11.11.37.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-04-18 07:17:07 14,054 ------w C:\WINDOWS\_000001_.tmp.dll
+ 2006-03-17 00:38:01 28,672 ------w C:\WINDOWS\system32\verclsid.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 12:39 729088]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-29 16:58]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-29 16:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 13:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-16 21:34:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1189957101.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 18:48:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-04 18:48:45
ComboFix-quarantined-files.txt 2008-01-04 22:48:36
ComboFix2.txt 2008-01-04 18:02:24
ComboFix3.txt 2008-01-04 15:12:02
.
2008-01-04 18:17:43 --- E O F ---

Let me know if I should do anything else at this point and again my much appreciated thanks.

Gunther

•

Join Date: Jul 2007

Posts: 127

Reputation: MoralTerror is an unknown quantity at this point

Solved Threads: 10

MoralTerror MoralTerror is offline

Offline

Junior Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 4th, 2008

Hi Gunther

Try this link for Kaspersky scanner http://www.kaspersky.com/virusscanner

•

Join Date: Jan 2008

Posts: 7

Reputation: Gunther Forster is an unknown quantity at this point

Solved Threads: 0

Gunther Forster Gunther Forster is offline

Offline

Newbie Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

Jan 7th, 2008

Sorry but I can't find the online scanner link on that page.

Thanks again for the help,

Gunther

P.S. My system is working great.

•

Join Date: Jul 2007

Posts: 127

Reputation: MoralTerror is an unknown quantity at this point

Solved Threads: 10

MoralTerror MoralTerror is offline

Offline

Junior Poster

Re: IE keeps opening w ADS and more <HiJAcjThis log included>

#10

Jan 7th, 2008

Sorry Gunther

I believe Kaspersky have been having some trouble with some links, I'm not sure if that's fixed yet or not.

I would like to see an online scan to make sure you have no remnants onboard. We do still need to do some final cleanup afterwards. Please try this scan

ESET Online Scanner

Please go to the following link ESET Online Scanner Link
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update
Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient
When the scan finishes click the Details tab
Copy and paste the contents of the %ProgramFiles%\EsetOnlineScanner\log.txt back here.