Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Hate to ask but am wits end--HJT Log included

Thread Solved
1 2 Last »

Join Date: Jan 2008
Posts: 10
Reputation: NTXPablo is an unknown quantity at this point 
Solved Threads: 0
NTXPablo NTXPablo is offline Offline
Newbie Poster

Hate to ask but am wits end--HJT Log included

 
0
  #1
Jan 24th, 2008
First and foremost, who are you folks and how did you figure out how to increase the length of your days or go without sleep!!! The obvious effort you put into helping the less fortunate and knowledgeable is amazing. Not to overlook many others that contribute, as I only found DW yesterday, but Crunchie and Gerbil are all over this place fighting the evil nasties!!! Thanks in advance for everyone and all they do!!!

OK, to my problem. After googling what the file iifgf.exe, which appears to be at least related to my problem, I stumbled here and from going through some threads, I guess this is some variant of VUNDO. Tried to do as much as possible--running a Trend Micro AV scan many times, running FixVundo from Symantec, running VundoFix found via this site, etc. And while the usual problems have diminished--bad popups and redirects, disappearing desktop, constant triggering without fix by Trend Micro AV, reloading obvious bad add-ins into IE--they have not completely gone away. I always say I only know enough about PCs to be dangerous, but having read up on this type of malware, I don't think it is gone and it will only come back.

So I am here for help. Thanks.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:27 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6983 bytes
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: Hate to ask but am wits end--HJT Log included

 
0
  #2
Jan 24th, 2008
Post C:\vundofix.txt also...
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Jan 2008
Posts: 10
Reputation: NTXPablo is an unknown quantity at this point 
Solved Threads: 0
NTXPablo NTXPablo is offline Offline
Newbie Poster

Re: Hate to ask but am wits end--HJT Log included

 
0
  #3
Jan 27th, 2008
Sorry, Gerbil, to seemingly ignore your help and take so long getting back, but I had a bit of a family emergency that pulled me out of the loop and out of town until Saturday night.

Here is the vundofix.txt that you requested:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 9:21:50 PM 1/21/2008

Listing files found while scanning....

C:\WINDOWS\system32\cedcylng.dll
C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\jfdcpxnh.dll
C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cedcylng.dll
C:\WINDOWS\system32\cedcylng.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\fgfii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\iifgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jfdcpxnh.dll
C:\WINDOWS\system32\jfdcpxnh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\fgfii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\iifgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 10:59:53 PM 1/23/2008

Listing files found while scanning....

C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\fgfii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\iifgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 11:54:01 PM 1/23/2008

Listing files found while scanning....

C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: Hate to ask but am wits end--HJT Log included

 
0
  #4
Jan 28th, 2008
A delay is not a problem for me, Pablo.
Let's try to delete manually the file that Vundofix could not..
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Now first off start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

Now go in and rclick these files and use Unlocker....
C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\mrofinu72.exe
Restart your machine, delete C:\vundofix.txt, dl a fresh copy of Vundofix and run it.
Post another Hijackthis log.
Last edited by gerbil; Jan 28th, 2008 at 1:03 am.
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Jan 2008
Posts: 10
Reputation: NTXPablo is an unknown quantity at this point 
Solved Threads: 0
NTXPablo NTXPablo is offline Offline
Newbie Poster

Re: Hate to ask but am wits end--HJT Log included

 
0
  #5
Jan 28th, 2008
Gerbil,

Did what you said and had mixed results. First, which is probably important was that unlocker did not seem to ever unlock the file. Every time I ran it on that particular file, got an error message saying that Windows Explorer had to close. Then, when I ran VundoFix, it could not delete the file.

Was able to remove the line that you said in the HJT. The other thing was that the second file you said to use unlocker on, was nowhere to be found--not in C:\WINDOWS, not in a search of my hard drives.

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:41 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)
O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - C:\WINDOWS\system32\pmnmnnm.dll
O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7555 bytes
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: Hate to ask but am wits end--HJT Log included

 
0
  #6
Jan 29th, 2008
Congratulations of a sort are due - that is the first I have seen where Unlocker has failed.
Try running Vundofix this way...=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\mnnmnmp.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Follow with this.. we will get a chance to see other new files that were created with Vundo.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post the contents of C:\vundofix.txt plus a new HijackThis log also.
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Jul 2007
Posts: 271
Reputation: overwhelmed is an unknown quantity at this point 
Solved Threads: 11
overwhelmed's Avatar
overwhelmed overwhelmed is offline Offline
Posting Whiz in Training

Re: Hate to ask but am wits end--HJT Log included

 
0
  #7
Jan 29th, 2008
you can remove these entries through the HiJackThis...

O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)

O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - C:\WINDOWS\system32\pmnmnnm.dll

O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)
http://www.filehippo.com/download_ccleaner/

http://www.filehippo.com
Reply With Quote Quick reply to this message  
Join Date: Jan 2008
Posts: 10
Reputation: NTXPablo is an unknown quantity at this point 
Solved Threads: 0
NTXPablo NTXPablo is offline Offline
Newbie Poster

Re: Hate to ask but am wits end--HJT Log included

 
0
  #8
Jan 29th, 2008
OK, Gerbil...did all that you asked so here goes with the logs:

COMBOFIX LOG:

ComboFix 08-01-29.3 - Paul 2008-01-29 1:23:58.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.818 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\pmnmnnm.dll

----- BITS: Possible infected sites -----

hxxp://80.93.59.108
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 20:57 . 2008-01-28 20:57 306 --a------ C:\WINDOWS\QTW.QTW
2008-01-28 20:53 . 2008-01-28 20:53 86,400 --a------ C:\WINDOWS\~GLC0000.TMP
2008-01-28 19:09 . 2008-01-28 19:10 13,824 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-27 15:20 . 2008-01-28 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:57 . 2008-01-23 21:57 <DIR> d-------- C:\WINDOWS\Sun
2008-01-23 21:57 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 21:55 . 2008-01-23 21:57 <DIR> d-------- C:\Program Files\Java
2008-01-23 21:55 . 2008-01-23 21:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-21 23:32 . 2008-01-21 23:32 78,912 --a------ C:\WINDOWS\system32\ejtkbemq.junk
2008-01-21 23:29 . 2008-01-21 23:29 6,675 --a------ C:\WINDOWS\system32\rxqmhuct.junk
2008-01-21 23:26 . 2008-01-21 23:26 6,675 --a------ C:\WINDOWS\system32\chbcmnky.junk
2008-01-21 23:20 . 2008-01-21 23:20 78,912 --a------ C:\WINDOWS\system32\qxpcdpaj.junk
2008-01-21 21:21 . 2008-01-29 01:17 <DIR> d-------- C:\VundoFix Backups
2008-01-20 12:19 . 2008-01-20 12:19 6,675 --a------ C:\WINDOWS\system32\qbeebqpx.dll
2008-01-20 12:17 . 2008-01-20 12:17 6,675 --a------ C:\WINDOWS\system32\dbqcvrqi.dll
2008-01-20 11:16 . 2007-12-16 18:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-19 17:34 . 2008-01-19 19:45 <DIR> d-------- C:\Documents and Settings\Paul\.housecall6.6
2008-01-19 14:51 . 2006-05-03 11:57 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-19 14:20 . 2008-01-23 09:01 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:53 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-01-29 02:53 --------- d-----w C:\Program Files\YOU DON'T KNOW JACK
2008-01-29 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 02:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-20 17:16 --------- d-----w C:\Program Files\Trend Micro
2008-01-20 02:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 23:10 --------- d-----w C:\Program Files\Common Files\Real
2008-01-19 23:01 --------- d-----w C:\Program Files\Total 3D Home Deluxe
2008-01-19 23:00 --------- d-----w C:\Program Files\TDK
2008-01-19 22:52 --------- d-----w C:\Program Files\Rage
2008-01-19 22:45 --------- d-----w C:\Program Files\InterActual
2008-01-19 22:27 --------- d-----w C:\Program Files\ATI Technologies
2008-01-19 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-19 19:54 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft
2008-01-19 18:11 --------- d-----w C:\Program Files\QuickTime
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-17 00:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-17 00:29 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-17 00:29 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-17 00:29 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-17 00:29 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-05-02 17:34 66,192 ----a-w C:\Documents and Settings\Paul\Application Data\GDIPFONTCACHEV1.DAT
.
<pre>
----a-w            39,792 2008-01-19 20:20:51  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         1,393,928 2008-01-24 01:02:54  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w           492,808 2008-01-24 01:02:53  C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
----a-w            15,360 2008-01-23 15:01:18  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]
C:\WINDOWS\system32\ejtkbemq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
C:\WINDOWS\system32\iifgf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [ ]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [ ]
"ATI Launchpad"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-01-23 19:43 492808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [ ]
"Regx10EXE"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2007-04-09 11:32 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [ ]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-23 19:43 1393928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"VundoFix"="C:\Documents and Settings\Paul\Desktop\vundofix.exe" [2008-01-28 19:52 132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-02-11 20:54:15 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R0 portenum;Intek21 PCI IO Driver;C:\WINDOWS\system32\DRIVERS\portenum.sys [2000-07-07 20:59]
R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 13:15]
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 15:29]
S2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [1999-11-05 18:43]
S2 SESUSBHW;%SESUSBHW.SvcDesc%;C:\WINDOWS\system32\Drivers\sesusb.sys [2001-05-11 16:50]
S3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 10:53]
S3 DCamUSBAlaris;ALARIS QuickVideo weeCam USB;C:\WINDOWS\system32\DRIVERS\DVC2USB.sys [1999-08-04 05:08]
S3 WEBNTACCESS;WEBNTACCESS;C:\WINDOWS\System32\NTACCESS.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 01:28:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
.
**************************************************************************
.
Completion time: 2008-01-29 1:31:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 07:31:09
.
2008-01-09 15:24:01 --- E O F ---


VUNDOFIX LOG:

VundoFix V6.7.7

Checking Java version...

Scan started at 11:21:34 PM 1/28/2008

Listing files found while scanning....

C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!


HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:03 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)
O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7337 bytes
Reply With Quote Quick reply to this message  
Join Date: Jul 2007
Posts: 271
Reputation: overwhelmed is an unknown quantity at this point 
Solved Threads: 11
overwhelmed's Avatar
overwhelmed overwhelmed is offline Offline
Posting Whiz in Training

Re: Hate to ask but am wits end--HJT Log included

 
0
  #9
Jan 29th, 2008
you can remove these entries through the HiJackThis...

O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)

O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - C:\WINDOWS\system32\pmnmnnm.dll

O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)
http://www.filehippo.com/download_ccleaner/

http://www.filehippo.com
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,982
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 754
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Hate to ask but am wits end--HJT Log included

 
0
  #10
Jan 29th, 2008
Whilst Gerbil is offline, can you please do the following;

A. Please RUN HijackThis
  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)
    O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RENV::
----a-w 39,792 2008-01-19 20:20:51 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 1,393,928 2008-01-24 01:02:54 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w 492,808 2008-01-24 01:02:53 C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
----a-w 15,360 2008-01-23 15:01:18 C:\WINDOWS\system32\ctfmon .exe

File::
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\rxqmhuct.junk
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\dbqcvrqi.dll
C:\WINDOWS\system32\iifgf.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Attached Images
 
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Reply
1 2 Last »

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg bar blackhat botnet botnets censorship commercial commercials conficker connect crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC