huiaa Posted September 17, 2008 ID:28129 Share Posted September 17, 2008 Hi there...I was hit with a virus and I was advised to download Malwarebytes. Everything seems fine now, but I get one error when I scan The Error is 'Error code : 731 (0. 6)' I wonder if you could advise me.CheersBenHere is the Hijack logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 21:08:04, on 2008/09/17Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\DigiOn\DiXiM Media Server\dmsf.exeC:\Program Files\Canon\IJPLM\IJPLMSVC.EXEc:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\WINDOWS\System32\svchost.exec:\PROGRA~1\mcafee.com\vso\OasClnt.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeC:\WINDOWS\system32\NTMETER.EXEC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\lsass.exec:\program files\mcafee.com\vso\mcvsshld.exeC:\Program Files\Softnavi\ImgLnch.exeC:\WINDOWS\system32\hkcmd.exec:\progra~1\mcafee.com\vso\mcvsescn.exec:\program files\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\NEC\SmartVision\SVUPnPMn.exeC:\Program Files\NEC\SmartVision\SvSche.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\MediaGarage\MGSplash.exeC:\WINDOWS\TEMP\ndp5.tmpC:\Program Files\nectvrc\tvrc.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeC:\Program Files\NECMFK\necmfk.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\OV530EM.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exeC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exec:\Windows\System32\asrv.exeC:\WINDOWS\system32\FUSCli.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Java\jre1.6.0_05\bin\jucheck.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllR3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO3 - Toolbar: BIGLOBEツールバー(& - {F998C683-89D8-47FA-8C55-3E2CA27D7581} - C:\Program Files\BIGLOBE\Toolbar\biglobe.dllO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\2.bin\PANDOBAR.DLLO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [softNavi] "C:\Program Files\Softnavi\ImgLnch.exe" /RESIDENTO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [sVUPnPManager] C:\Program Files\NEC\SmartVision\SVUPnPMn.exeO4 - HKLM\..\Run: [smartVisionScheduler] C:\Program Files\NEC\SmartVision\SvSche.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [MGSplash] C:\Program Files\MediaGarage\MGSplash.exeO4 - HKLM\..\Run: [NECTVRC] C:\Program Files\nectvrc\tvrc.exeO4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exeO4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXEO4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [POPLINK] C:\RUNONCE\GTA\POPLINK.lnkO4 - HKLM\..\Run: [NECMFK] C:\Program Files\NECMFK\necmfk.exeO4 - HKLM\..\Run: [Desktopbar] "C:\Program Files\Desktopbar\Desktopbar.exe" /RDO4 - HKLM\..\Run: [chkmem] C:\Program Files\chkmem\chkmem.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [Ovt Wia] C:\WINDOWS\OV530EM.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [explorcr] C:\WINDOWS\system32\explorcr.exeO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logonO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [lphc5c3j0e56e] C:\WINDOWS\system32\lphc5c3j0e56e.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')O8 - Extra context menu item: BIGLOBE:ニュース検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_news.htmO8 - Extra context menu item: BIGLOBE:ページ検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_web.htmO8 - Extra context menu item: BIGLOBE:画像検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_pict.htmO8 - Extra context menu item: BIGLOBE:辞書検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_dic.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.biglobe.ne.jp/index-pc.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLLO20 - AppInit_DLLs: karina.datO20 - Winlogon Notify: kxlgxldl - C:\WINDOWS\SYSTEM32\kxlgxldl32.dllO23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Family Channel Switch (Asrv) - Unknown owner - c:\Windows\System32\asrv.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: PIXUS 使用状況調査プログラム (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEO23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exeO23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeO23 - Service: MSCSPTISRV - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXEO23 - Service: PACSPTISVR - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: BroadPass Manager (Poling_Service) - 日本電気株式会社 - c:\Program Files\BIGLOBE\BroadPass\base\base.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe--End of file - 12304 bytes Link to post Share on other sites More sharing options...
huiaa Posted September 17, 2008 Author ID:28130 Share Posted September 17, 2008 Also, here is the Malwarebytes reportMalwarebytes' Anti-Malware 1.28Database version: 1163Windows 5.1.2600 Service Pack 22008/09/17 21:27:27mbam-log-2008-09-17 (21-27-27).txtScan type: Quick ScanObjects scanned: 54901Time elapsed: 14 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc5c3j0e56e (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\blphc5c3j0e56e.scr (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\lphc5c3j0e56e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\phc5c3j0e56e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
huiaa Posted September 17, 2008 Author ID:28131 Share Posted September 17, 2008 I did ran malwarebyte through the computer several hours ago and things got much better, but even after doing a quick scan 4 hours later..it found another 7 viruses...so we are not in the clear...its still picking them up. Obviously, it is related to this error code...any thoughts would be great. CheersAlso, here is the Malwarebytes reportMalwarebytes' Anti-Malware 1.28Database version: 1163Windows 5.1.2600 Service Pack 22008/09/17 21:27:27mbam-log-2008-09-17 (21-27-27).txtScan type: Quick ScanObjects scanned: 54901Time elapsed: 14 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc5c3j0e56e (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\blphc5c3j0e56e.scr (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\lphc5c3j0e56e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\phc5c3j0e56e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
JeanInMontana Posted September 18, 2008 ID:28205 Share Posted September 18, 2008 Hi there huiaa and welcome to Malwarebytes. Update MBAM run a quick scan post that log [no code box please] then run HJT and post that log, this needs to be after the MBAM log always. Link to post Share on other sites More sharing options...
huiaa Posted September 18, 2008 Author ID:28229 Share Posted September 18, 2008 Thanks for that...here is the malwarebytes log:Malwarebytes' Anti-Malware 1.28Database version: 1163Windows 5.1.2600 Service Pack 22008/09/18 20:45:55mbam-log-2008-09-18 (20-45-51).txtScan type: Quick ScanObjects scanned: 55853Time elapsed: 7 minute(s), 14 second(s)Memory Processes Infected: 2Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 6Registry Data Items Infected: 2Folders Infected: 0Files Infected: 7Memory Processes Infected:C:\WINDOWS\system32\lphc5c3j0e56e.exe (Trojan.FakeAlert) -> No action taken.C:\Documents and Settings\Ben\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> No action taken.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc5c3j0e56e (Trojan.FakeAlert) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhc1c3j0e56e (Trojan.FakeAlert) -> No action taken.HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\blphc5c3j0e56e.scr (Trojan.FakeAlert) -> No action taken.C:\WINDOWS\system32\lphc5c3j0e56e.exe (Trojan.FakeAlert) -> No action taken.C:\WINDOWS\system32\phc5c3j0e56e.bmp (Trojan.FakeAlert) -> No action taken.C:\WINDOWS\temp\.tt5.tmp (Trojan.Downloader) -> No action taken.C:\WINDOWS\temp\.ttB.tmp (Trojan.Downloader) -> No action taken.C:\Documents and Settings\Ben\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> No action taken.C:\Documents and Settings\Ben\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> No action taken. Link to post Share on other sites More sharing options...
huiaa Posted September 18, 2008 Author ID:28230 Share Posted September 18, 2008 Hi there,I ran malwarebytes saved the log (posted previously) removed the viruses and restarted the computer as advised. I then ran Hijack. Here is the log;CheersLogfile of Trend Micro HijackThis v2.0.2Scan saved at 20:51:38, on 2008/09/18Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Softnavi\ImgLnch.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\NEC\SmartVision\SVUPnPMn.exeC:\Program Files\NEC\SmartVision\SvSche.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\MediaGarage\MGSplash.exeC:\Program Files\nectvrc\tvrc.exeC:\Program Files\McAfee.com\VSO\mcvsshld.exeC:\Program Files\McAfee.com\VSO\oasclnt.exeC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeC:\Program Files\NECMFK\necmfk.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\OV530EM.exec:\progra~1\mcafee.com\vso\mcvsescn.exeC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Skype\Phone\Skype.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\DigiOn\DiXiM Media Server\dmsf.exeC:\Program Files\Canon\IJPLM\IJPLMSVC.EXEc:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\lsass.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeC:\WINDOWS\system32\NTMETER.EXEC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\TEMP\nes5.tmpC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Program Files\Internet Explorer\iexplore.exec:\Windows\System32\asrv.exeC:\WINDOWS\system32\FUSCli.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllR3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO3 - Toolbar: BIGLOBEツールバー(& - {F998C683-89D8-47FA-8C55-3E2CA27D7581} - C:\Program Files\BIGLOBE\Toolbar\biglobe.dllO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\2.bin\PANDOBAR.DLLO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [softNavi] "C:\Program Files\Softnavi\ImgLnch.exe" /RESIDENTO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [sVUPnPManager] C:\Program Files\NEC\SmartVision\SVUPnPMn.exeO4 - HKLM\..\Run: [smartVisionScheduler] C:\Program Files\NEC\SmartVision\SvSche.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [MGSplash] C:\Program Files\MediaGarage\MGSplash.exeO4 - HKLM\..\Run: [NECTVRC] C:\Program Files\nectvrc\tvrc.exeO4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exeO4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXEO4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [POPLINK] C:\RUNONCE\GTA\POPLINK.lnkO4 - HKLM\..\Run: [NECMFK] C:\Program Files\NECMFK\necmfk.exeO4 - HKLM\..\Run: [Desktopbar] "C:\Program Files\Desktopbar\Desktopbar.exe" /RDO4 - HKLM\..\Run: [chkmem] C:\Program Files\chkmem\chkmem.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [Ovt Wia] C:\WINDOWS\OV530EM.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [explorcr] C:\WINDOWS\system32\explorcr.exeO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logonO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [lphc5c3j0e56e] C:\WINDOWS\system32\lphc5c3j0e56e.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')O8 - Extra context menu item: BIGLOBE:ニュース検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_news.htmO8 - Extra context menu item: BIGLOBE:ページ検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_web.htmO8 - Extra context menu item: BIGLOBE:画像検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_pict.htmO8 - Extra context menu item: BIGLOBE:辞書検索 - res://C:\Program Files\BIGLOBE\Toolbar\biglobe.dll/script_dic.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.biglobe.ne.jp/index-pc.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLLO20 - AppInit_DLLs: karina.datO20 - Winlogon Notify: kxlgxldl - C:\WINDOWS\SYSTEM32\kxlgxldl.dllO23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Family Channel Switch (Asrv) - Unknown owner - c:\Windows\System32\asrv.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: PIXUS 使用状況調査プログラム (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEO23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exeO23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeO23 - Service: MSCSPTISRV - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXEO23 - Service: PACSPTISVR - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: BroadPass Manager (Poling_Service) - 日本電気株式会社 - c:\Program Files\BIGLOBE\BroadPass\base\base.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe--End of file - 12349 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted September 19, 2008 ID:28359 Share Posted September 19, 2008 The MBAM log shows you took no action. I want to see the log when you have taken action and then the HJT log. Please follow instructions. Update MBAM, run a quick scan remove anything found, post that log and a new HJT log. Link to post Share on other sites More sharing options...
huiaa Posted September 21, 2008 Author ID:28544 Share Posted September 21, 2008 Hi there,I updated to the latest version and then ran a quick scan.Here is the log,Thanks in advance===============================================================================Malwarebytes' Anti-Malware 1.28Database version: 1182Windows 5.1.2600 Service Pack 22008/09/21 9:01:18mbam-log-2008-09-21 (09-01-18).txtScan type: Quick ScanObjects scanned: 53911Time elapsed: 5 minute(s), 12 second(s)Memory Processes Infected: 2Memory Modules Infected: 2Registry Keys Infected: 2Registry Values Infected: 6Registry Data Items Infected: 2Folders Infected: 0Files Infected: 14Memory Processes Infected:C:\WINDOWS\system32\lphc5c3j0e56e.exe (Trojan.FakeAlert) -> Unloaded process successfully.C:\WINDOWS\temp\.ttB.tmp.exe (Trojan.FakeAlert) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\system32\kxlgxldl32.dll (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\blphc5c3j0e56e.scr (Trojan.FakeAlert) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kxlgxldl (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc5c3j0e56e (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhc1c3j0e56e (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\kxlgxldl.dll (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\kxlgxldl32.dll (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\blphc5c3j0e56e.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lphc5c3j0e56e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\phc5c3j0e56e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.ttB.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Ben\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Ben\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.tt8.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Ben\Local Settings\Temp\.tt5.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
JeanInMontana Posted September 21, 2008 ID:28546 Share Posted September 21, 2008 Please follow instructions. HJT log now. Be sure you have rebooted as MBAM requested. Link to post Share on other sites More sharing options...
huiaa Posted September 21, 2008 Author ID:28547 Share Posted September 21, 2008 I restarted the computer and then ran Hijack.Here is the log;====================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:07:03, on 2008/09/21Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Softnavi\ImgLnch.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\MediaGarage\MGSplash.exeC:\Program Files\nectvrc\tvrc.exeC:\Program Files\McAfee.com\VSO\mcvsshld.exeC:\Program Files\McAfee.com\VSO\oasclnt.exeC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeC:\Program Files\NECMFK\necmfk.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\OV530EM.exec:\progra~1\mcafee.com\vso\mcvsescn.exeC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exeC:\WINDOWS\system32\lsass.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\DigiOn\DiXiM Media Server\dmsf.exeC:\Program Files\Canon\IJPLM\IJPLMSVC.EXEc:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\TEMP\guj5.tmpc:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeC:\WINDOWS\system32\NTMETER.EXEC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exec:\Windows\System32\asrv.exeC:\WINDOWS\system32\FUSCli.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\temp\.tt9.tmpC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllR3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\2.bin\PANDOBAR.DLLO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [softNavi] "C:\Program Files\Softnavi\ImgLnch.exe" /RESIDENTO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [MGSplash] C:\Program Files\MediaGarage\MGSplash.exeO4 - HKLM\..\Run: [NECTVRC] C:\Program Files\nectvrc\tvrc.exeO4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exeO4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXEO4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [POPLINK] C:\RUNONCE\GTA\POPLINK.lnkO4 - HKLM\..\Run: [NECMFK] C:\Program Files\NECMFK\necmfk.exeO4 - HKLM\..\Run: [chkmem] C:\Program Files\chkmem\chkmem.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [Ovt Wia] C:\WINDOWS\OV530EM.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [explorcr] C:\WINDOWS\system32\explorcr.exeO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logonO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [lphc5c3j0e56e] C:\WINDOWS\system32\lphc5c3j0e56e.exeO4 - HKLM\..\Run: [inrhc1c3j0e56e] C:\WINDOWS\temp\.tt9.tmp.exe /CR=34015803198DE9F11EE8495C41DD2D8815F884B278F5F0F7CAFD82D6B1E46CAF3F1AB4E69541D8FF20582B69ED99A87B5167241BAA938A0ACC28AD18A64181C065E072D95E80D6D4E77891D0EF9EF09F5DF59BO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.biglobe.ne.jp/index-pc.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLLO20 - AppInit_DLLs: karina.datO20 - Winlogon Notify: kxlgxldl - C:\WINDOWS\SYSTEM32\kxlgxldl.dllO23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Family Channel Switch (Asrv) - Unknown owner - c:\Windows\System32\asrv.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: PIXUS 使用状況調査プログラム (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEO23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exeO23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeO23 - Service: MSCSPTISRV - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXEO23 - Service: PACSPTISVR - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe--End of file - 11418 bytes Link to post Share on other sites More sharing options...
huiaa Posted September 21, 2008 Author ID:28548 Share Posted September 21, 2008 BTW, the same error code came up;731 (0. 6)Cheers Link to post Share on other sites More sharing options...
JeanInMontana Posted September 21, 2008 ID:28555 Share Posted September 21, 2008 BTW, the same error code came up;731 (0. 6)CheersRebooting should take out the error. I need you to find these four files and copy them to a zip folder.C:\RUNONCE\GTA\POPLINK.lnkC:\Program Files\chkmem\chkmem.exeC:\WINDOWS\SYSTEM32\kxlgxldl.dllC:\WINDOWS\TEMP\nes5.tmpAttach the folder in this forum http://www.malwarebytes.org/forums/index.php?showforum=55 start your own topic please. Link to post Share on other sites More sharing options...
huiaa Posted September 23, 2008 Author ID:28754 Share Posted September 23, 2008 Hi Jean,I have searched high and low for these files but the only one I could find is;C:\WINDOWS\SYSTEM32\kxlgxldl.dllHow can I send it to you?Meanwhile, things seem to be getting worse. The virus just kicks in again after the quick scan and removal then re-boot. Also, the same original error (0.6) 731 continues to occasionally surface, and I can only operate in Safe mode now as the computer seems in this endless loop of re-booting, so things seem to be getting worseHow do I find the other files you requested?I have just done another quick scan and attached the new log, along with the Hijack log post removalI appreciate your time and patience.lwarebytes' Anti-Malware 1.28Database version: 1194Windows 5.1.2600 Service Pack 22008/09/23 9:47:48mbam-log-2008-09-23 (09-47-48).txtScan type: Quick ScanObjects scanned: 52136Time elapsed: 16 minute(s), 13 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 4Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\blphc5c3j0e56e.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lphc5c3j0e56e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\phc5c3j0e56e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\temp\.tt17.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.Hijack report;Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:50:20, on 2008/09/23Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Safe mode with network supportRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllR3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\2.bin\P4SRCHAS.DLLO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\2.bin\PANDOBAR.DLLO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [softNavi] "C:\Program Files\Softnavi\ImgLnch.exe" /RESIDENTO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [MGSplash] C:\Program Files\MediaGarage\MGSplash.exeO4 - HKLM\..\Run: [NECTVRC] C:\Program Files\nectvrc\tvrc.exeO4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exeO4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXEO4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [NECMFK] C:\Program Files\NECMFK\necmfk.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [Ovt Wia] C:\WINDOWS\OV530EM.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [explorcr] C:\WINDOWS\system32\explorcr.exeO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logonO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.biglobe.ne.jp/index-pc.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLLO20 - AppInit_DLLs: karina.datO23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Family Channel Switch (Asrv) - Unknown owner - c:\Windows\System32\asrv.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: PIXUS 使用状況調査プログラム (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEO23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exeO23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeO23 - Service: MSCSPTISRV - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXEO23 - Service: PACSPTISVR - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - c:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe--End of file - 9103 bytesRebooting should take out the error. I need you to find these four files and copy them to a zip folder.C:\RUNONCE\GTA\POPLINK.lnkC:\Program Files\chkmem\chkmem.exeC:\WINDOWS\SYSTEM32\kxlgxldl.dllC:\WINDOWS\TEMP\nes5.tmpAttach the folder in this forum http://www.malwarebytes.org/forums/index.php?showforum=55 start your own topic please. Link to post Share on other sites More sharing options...
huiaa Posted September 23, 2008 Author ID:28770 Share Posted September 23, 2008 I few updates...I ran the scanner in Safe Mode and it is not continually re-booting which is good. The scanner run through a few times in safe mode and picked up no errors at all. Once I was able to get back into normal mode, again the virus re-activated on boot up, but thankfully no re-booting over and over. The same error kept coming back, and also a few moment after boot up..a .TMP gets caught up in my fire wall. The name of it changes every time but it is always in the same Windows/temp folder Link to post Share on other sites More sharing options...
JeanInMontana Posted September 24, 2008 ID:28878 Share Posted September 24, 2008 Attach the folder in this forum http://www.malwarebytes.org/forums/index.php?showforum=55 start your own topic please. Follow that link and attach all the files there please. Don't scan in safe mode. Attach the files and wait for my instruction. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 1, 2008 Root Admin ID:29378 Share Posted October 1, 2008 Hello huiaa,Are you still with us? Please post an update otherwise I will be closing this topic later tonight. Link to post Share on other sites More sharing options...
Recommended Posts