IE keeps opening w ADS and more <HiJAcjThis log included>

Question

Gunther Forster 0 Newbie Poster

16 Years Ago

Help me please!

IExlorer keeps popping open with numerous ad sites even when I open FireFox.
Installed numerous spyware/adware scanners without success.

HiJAckTHis log here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:50 PM, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=011308 serial=DR12WCB-8159340-QBN lang=EN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [copy real junk the] C:\Documents and Settings\All Users\Application Data\Name beep copy real\Download license.exe
O4 - HKLM\..\Run: [bhbsdrx] C:\Program Files\Common Files\System\tnmgncd.exe
O4 - HKLM\..\Run: [htocusa] C:\Program Files\Common Files\Microsoft Shared\pxpfern.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wipe hole] C:\DOCUME~1\admin\APPLIC~1\ITCHME~1\PokeLicense.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185293502350
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6483 bytes

THanks in advance for any help.

windows-virus

2 Contributors
13 Replies
152 Views
3 Days Discussion Span
Latest Post 16 Years Ago Latest Post by MoralTerror

All 13 Replies

MoralTerror 0 Junior Poster

16 Years Ago

Hi Gunther Forster welcome to DaniWeb

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

MoralTerror 0 Junior Poster

16 Years Ago

Hi Gunther

Can you tell me why you have this folder C:\System32
DON'T do anything with it just yet.

----------------------------------------------

Download SafeBootKeyRepair.exe by sUBs and save it to your desktop.

Double-click SafeBootKeyRepair.exe to run it. Follow any prompts that may appear then post the log it produces.

----------------------------------------------

If E:\ is a flash disk or external drive please make sure it is attached before running combofix.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\bhbsdrx.inf
C:\WINDOWS\Tasks\AE46DC13907D59F7.job
E:\htocusa.exe
Folder::
C:\Documents and Settings\All Users\Application Data\Name beep copy real
C:\Documents and Settings\admin\Application Data\Itch meta
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wipe hole"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bhbsdrx"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"htocusa"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{426ccd3c-1e07-11d7-8a3a-000272607886}]
DirLook::
C:\System32

Save this asCFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at"C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

MoralTerror 0 Junior Poster

16 Years Ago

OK Gunther

I want you to continue running the fixes in normal mode but check to see if you can boot to safe mode (tapping F8 at boot until menu appears) and logon?

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\sexit.dat
Folder::
C:\Program Files\Itch meta

Save this as CFScript.txt, in the same location as ComboFix.exe

Drag it onto ComboFix.exe same as before and post the resulting c:\combofix.txt

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
-------------------------------
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

-------------------------------
Post a new HijackThis log along with the kaspersky report and combofix.txt. How is the computer behaving now?

MoralTerror 0 Junior Poster

16 Years Ago

Hi Gunther

Try this link for Kaspersky scanner http://www.kaspersky.com/virusscanner

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Gunther Forster 0 Newbie Poster · Answer 1 · 2008-01-04T21:40:17+00:00

Thanks. Here is the c:ComboFix.txt: (the Hijackthis text follows the combofix below)

ComboFix 08-01-04.1 - admin 2008-01-04 11:09:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix(2).exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 11:09 . 2008-01-04 11:09 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-04 11:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 07:04 . 2008-01-04 07:04 <DIR> d-------- C:\Program Files\Itch meta
2008-01-03 21:02 . 2008-01-03 21:44 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-12-30 17:01 . 2007-12-30 17:01 <DIR> d-------- C:\System32
2007-12-29 17:09 . 2007-12-29 17:09 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Program Files\COMODO
2007-12-29 16:58 . 2007-12-29 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Comodo
2007-12-29 16:58 . 2007-12-29 16:58 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-29 16:58 . 2007-12-29 16:58 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-29 16:58 . 2007-12-29 16:58 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-29 16:05 . 2007-12-29 16:05 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-27 12:22 . 2006-02-28 08:00 42,496 --a------ C:\WINDOWS\system32\sexit.dat
2007-12-24 14:10 . 2007-12-24 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-23 16:57 . 2007-12-29 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 16:48 . 2007-12-23 20:31 <DIR> d-------- C:\Program Files\Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 15:11 --------- d-----w C:\Documents and Settings\admin\Application Data\Skype
2008-01-04 11:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Name beep copy real
2008-01-04 11:05 --------- d-----w C:\Documents and Settings\admin\Application Data\Itch meta
2008-01-04 01:47 --------- d-----w C:\Documents and Settings\admin\Application Data\WTablet
2007-12-27 15:42 169 --sh--w C:\Program Files\bhbsdrx.inf
2007-11-27 21:32 --------- d-----w C:\Documents and Settings\admin\Application Data\Sunbelt Software
2007-11-27 19:01 --------- d-----w C:\Documents and Settings\admin\Application Data\Corel
2007-11-27 16:19 --------- d-----w C:\Program Files\Corel
2007-11-27 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-11-27 16:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 16:13 20,640 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-27 16:13 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-27 16:13 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-27 15:58 --------- d-----w C:\Program Files\Tablet
2007-11-23 21:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 21:26 --------- d-----w C:\Documents and Settings\admin\Application Data\Azureus
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-06 01:28 --------- d-----w C:\Program Files\iTunes
2007-11-06 01:28 --------- d-----w C:\Program Files\iPod
2007-11-06 01:27 --------- d-----w C:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 21:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"wipe hole"="C:\DOCUME~1\admin\APPLIC~1\ITCHME~1\PokeLicense.exe" [2008-01-04 07:04 408576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 12:39 729088]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]
"bhbsdrx"="C:\Program Files\Common Files\System\tnmgncd.exe" [ ]
"htocusa"="C:\Program Files\Common Files\Microsoft Shared\pxpfern.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\guard32.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-29 16:58]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-29 16:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{426ccd3c-1e07-11d7-8a3a-000272607886}]
\Shell\AutoRun\command - E:\htocusa.exe
\Shell\explore\Command - E:\htocusa.exe
\Shell\open\Command - E:\htocusa.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 15:00:01 C:\WINDOWS\Tasks\AE46DC13907D59F7.job"
- c:\docume~1\admin\applic~1\itchme~1\Bone Style Heck.exe
"2008-01-02 13:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-16 21:34:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1189957101.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 11:11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-04 11:12:01
.
2007-12-22 07:00:56 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:45 AM, on 04/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=011308 serial=DR12WCB-8159340-QBN lang=EN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [bhbsdrx] C:\Program Files\Common Files\System\tnmgncd.exe
O4 - HKLM\..\Run: [htocusa] C:\Program Files\Common Files\Microsoft Shared\pxpfern.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wipe hole] C:\DOCUME~1\admin\APPLIC~1\ITCHME~1\PokeLicense.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185293502350
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6141 bytes

Thanks for nay help available.

Gunther Forster 0 Newbie Poster · Answer 2 · 2008-01-05T00:11:52+00:00

Thanks again.

Firstly, I have no idea what this system32 thing is?

As for your instructions, I followed them as instructed:

I ran the safeboot repair without incident but lost the log files when the next stage - combofix ran -sorry!

The combofix script ran well and produced the log below:

ComboFix 08-01-04.1 - admin 2008-01-04 13:56:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\bhbsdrx.inf
C:\WINDOWS\Tasks\AE46DC13907D59F7.job
E:\htocusa.exe
.
The following files were disabled during the run:
C:\Program Files\NoAdware5.0\nutils.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\Application Data\Itch meta
C:\Documents and Settings\admin\Application Data\Itch meta\0
C:\Documents and Settings\admin\Application Data\Itch meta\Bone Style Heck.exe
C:\Documents and Settings\admin\Application Data\Itch meta\ezilwgpi.exe
C:\Documents and Settings\admin\Application Data\Itch meta\PokeLicense.exe
C:\Documents and Settings\admin\Application Data\Itch meta\vhnytdue.exe
C:\Documents and Settings\All Users\Application Data\Name beep copy real\Bib Log.exe
C:\Program Files\bhbsdrx.inf
C:\WINDOWS\Tasks\AE46DC13907D59F7.job
C:\Documents and Settings\All Users\Application Data\Name beep copy real

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 11:09 . 2008-01-04 11:09 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-04 11:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 07:04 . 2008-01-04 07:04 <DIR> d-------- C:\Program Files\Itch meta
2008-01-03 21:02 . 2008-01-04 13:59 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-12-30 17:01 . 2007-12-30 17:01 <DIR> d-------- C:\System32
2007-12-29 17:09 . 2007-12-29 17:09 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Program Files\COMODO
2007-12-29 16:58 . 2007-12-29 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Comodo
2007-12-29 16:58 . 2007-12-29 16:58 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2007-12-29 16:58 . 2007-12-29 16:58 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-29 16:58 . 2007-12-29 16:58 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-29 16:05 . 2007-12-29 16:05 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-27 12:22 . 2006-02-28 08:00 42,496 --a------ C:\WINDOWS\system32\sexit.dat
2007-12-24 14:10 . 2007-12-24 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-23 16:57 . 2007-12-29 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 16:48 . 2007-12-23 20:31 <DIR> d-------- C:\Program Files\Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 17:59 --------- d-----w C:\Documents and Settings\admin\Application Data\WTablet
2008-01-04 17:56 --------- d-----w C:\Documents and Settings\admin\Application Data\Skype
2007-11-27 21:32 --------- d-----w C:\Documents and Settings\admin\Application Data\Sunbelt Software
2007-11-27 19:01 --------- d-----w C:\Documents and Settings\admin\Application Data\Corel
2007-11-27 16:19 --------- d-----w C:\Program Files\Corel
2007-11-27 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-11-27 16:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 16:13 20,640 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-27 15:58 --------- d-----w C:\Program Files\Tablet
2007-11-23 21:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 21:26 --------- d-----w C:\Documents and Settings\admin\Application Data\Azureus
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-06 01:28 --------- d-----w C:\Program Files\iTunes
2007-11-06 01:28 --------- d-----w C:\Program Files\iPod
2007-11-06 01:27 --------- d-----w C:\Program Files\QuickTime
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\System32 ----

2007-12-30 17:01 130 --a------ C:\System32\Tablet.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 12:39 729088]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-29 16:58]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-29 16:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 13:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-16 21:34:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1189957101.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 14:00:28
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-04 14:02:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 18:02:19
ComboFix2.txt 2008-01-04 15:12:02
.
2007-12-22 07:00:56 --- E O F ---

Thanks again,

Gunther

Gunther Forster 0 Newbie Poster · Answer 3 · 2008-01-05T05:15:24+00:00

Hi:

Thanks again. The computer is running so much better and no IE opens to this point!! And now I can get safemode to work. Thanks.

I did the new cf script and the log is below. But when I went to the Kaspersky link I couldn't access the online scanner with either IE or Firefox. I searched for the online scanner within the site but only the single file scanner seems to be working. - http://www.kaspersky.com/scanforvirus

The CF log:

ComboFix 08-01-04.1 - admin 2008-01-04 18:45:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.218 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\sexit.dat
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Itch meta
C:\WINDOWS\system32\sexit.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 14:02 . 2008-01-04 14:02 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-04 14:02 . 2006-04-18 03:17 14,054 --------- C:\WINDOWS\_000001_.tmp.dll
2008-01-04 11:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 21:02 . 2008-01-04 14:02 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-12-30 17:01 . 2007-12-30 17:01 <DIR> d-------- C:\System32
2007-12-29 17:09 . 2007-12-29 17:09 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Program Files\COMODO
2007-12-29 16:58 . 2007-12-29 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-29 16:58 . 2007-12-29 16:58 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Comodo
2007-12-29 16:58 . 2007-12-29 16:58 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-29 16:58 . 2007-12-29 16:58 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-29 16:58 . 2007-12-29 16:58 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-29 16:05 . 2007-12-29 16:05 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-24 14:10 . 2007-12-24 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-23 16:57 . 2007-12-29 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 16:48 . 2007-12-23 20:31 <DIR> d-------- C:\Program Files\Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 22:48 --------- d-----w C:\Documents and Settings\admin\Application Data\Skype
2008-01-04 17:59 --------- d-----w C:\Documents and Settings\admin\Application Data\WTablet
2007-11-27 21:32 --------- d-----w C:\Documents and Settings\admin\Application Data\Sunbelt Software
2007-11-27 19:01 --------- d-----w C:\Documents and Settings\admin\Application Data\Corel
2007-11-27 16:19 --------- d-----w C:\Program Files\Corel
2007-11-27 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-11-27 16:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 16:13 20,640 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-27 16:13 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-27 16:13 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-27 15:58 --------- d-----w C:\Program Files\Tablet
2007-11-23 21:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 21:26 --------- d-----w C:\Documents and Settings\admin\Application Data\Azureus
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-06 01:28 --------- d-----w C:\Program Files\iTunes
2007-11-06 01:28 --------- d-----w C:\Program Files\iPod
2007-11-06 01:27 --------- d-----w C:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 21:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-04_11.11.37.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-04-18 07:17:07 14,054 ------w C:\WINDOWS\_000001_.tmp.dll
+ 2006-03-17 00:38:01 28,672 ------w C:\WINDOWS\system32\verclsid.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 12:39 729088]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 07:29 67752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-29 16:58]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-29 16:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 13:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-16 21:34:21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1189957101.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 18:48:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-04 18:48:45
ComboFix-quarantined-files.txt 2008-01-04 22:48:36
ComboFix2.txt 2008-01-04 18:02:24
ComboFix3.txt 2008-01-04 15:12:02
.
2008-01-04 18:17:43 --- E O F ---

Let me know if I should do anything else at this point and again my much appreciated thanks.

Gunther

Gunther Forster 0 Newbie Poster · Answer 4 · 2008-01-07T18:28:21+00:00

Sorry but I can't find the online scanner link on that page.

Thanks again for the help,

Gunther

P.S. My system is working great.

MoralTerror 0 Junior Poster · Answer 5 · 2008-01-07T18:51:05+00:00

Sorry Gunther

I believe Kaspersky have been having some trouble with some links, I'm not sure if that's fixed yet or not.

I would like to see an online scan to make sure you have no remnants onboard. We do still need to do some final cleanup afterwards. Please try this scan

ESET Online Scanner

Please go to the following link ESET Online Scanner Link
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start
The scanner engine will initialise and update
Do Not tick the box Remove found threats
Click the Scan button
The scan will now run, please be patient
When the scan finishes click the Details tab
Copy and paste the contents of the %ProgramFiles%\EsetOnlineScanner\log.txt back here.

Gunther Forster 0 Newbie Poster · Answer 6 · 2008-01-07T19:54:01+00:00

All looks good. No virus's or threats found. The details didn't come up.

Thanks for everything.

MoralTerror 0 Junior Poster · Answer 7 · 2008-01-07T20:37:54+00:00

Great stuff!!

Kindly follow these simple steps in order to keep your computer clean and secure:

UNINSTALL COMBOFIX
This process will also perform some final cleanup steps
Click Start > Run and type ComboFix /u
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Gunther Forster 0 Newbie Poster · Answer 8 · 2008-01-07T22:19:48+00:00

Thanks so much for everything. You have been able to help me when no one or any virus program could. You have been awesome!

Gunther

MoralTerror 0 Junior Poster · Answer 9 · 2008-01-07T22:45:51+00:00

MoralTerror 0 Junior Poster

16 Years Ago

Your very welcome Gunther glad to help :)

IE keeps opening w ADS and more <HiJAcjThis log included>

Recommended Answers Collapse Answers

All 13 Replies

Recommended Answers