Jump to content

Recommended Posts

Hi,

I have done all the usual things I do to remove malware from client's PC's, however this one has me stumped as it keeps coming back. It manifests itself as pop-ups and before running MBAM for the first time recently, it also redirected the user to other websites instead of the intended ones. I have a MBAM log from a few days ago, and a Combofix log from yesterday, Combofix did appear to find and remove all the infections, and also MBAM came back clean immediately after, but the pop-ups are now back once again. Any help would very much appreciated.

MBAM Log:

Malwarebytes' Anti-Malware 1.30

Database version: 1430

Windows 5.1.2600 Service Pack 2

28/11/2008 13:36:15

newest-mbam-log-2008-11-28 (13-36-07).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 125640

Time elapsed: 30 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 8

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\Jh0r0i3j.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\Jh0r0i3j.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\system32\Hf3p3g6h.exe.a_a (Trojan.Agent) -> No action taken.

Combofix Log:

ComboFix 08-12-01.03 - Chantal 2008-12-02 16:55:02.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2067 [GMT 0:00]

Running from: c:\documents and settings\Chantal.ALTPC02\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))

.

2008-11-20 12:59 . 2008-11-20 12:59 <DIR> d-------- c:\program files\Trend Micro

2008-11-20 12:41 . 2008-11-20 12:41 <DIR> d-------- c:\program files\CCleaner

2008-11-20 12:38 . 2008-11-20 12:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-20 12:38 . 2008-11-20 12:38 <DIR> d-------- c:\documents and settings\Chantal.ALTPC02\Application Data\Malwarebytes

2008-11-20 12:38 . 2008-11-20 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-20 12:38 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-20 12:38 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-10 10:46 . 2008-11-14 10:46 1,689 --a------ c:\windows\Sysvxd.exe

2008-11-03 10:30 . 2008-11-03 10:29 32,256 --a------ c:\windows\system32\3Lktr31h.ex_

2008-11-03 10:30 . 2008-11-03 10:29 31,744 --a------ c:\windows\system32\Osvd07mq.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-12 14:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-11-03 09:11 77,937 ----a-w c:\windows\system32\bkmekxjupupdy.exe

2008-10-31 13:11 --------- d-----w c:\program files\Nortel Networks

2008-10-31 12:39 --------- d-----w c:\program files\Personal Call Manager

2008-10-30 10:12 19,227 ----a-w c:\windows\system32\mumumuqozo.pif

2008-10-30 10:12 17,863 ----a-w c:\documents and settings\Chantal.ALTPC02\Application Data\iqydicyqi.sys

2008-10-30 10:12 16,714 ----a-w c:\program files\Common Files\rasecebot._sy

2008-10-30 10:12 15,907 ----a-w c:\windows\upurade.exe

2008-10-30 10:12 14,158 ----a-w c:\program files\Common Files\usix._dl

2008-10-30 10:12 10,848 ----a-w c:\documents and settings\All Users\Application Data\atilohijex.scr

2008-10-28 11:11 --------- d-----w c:\program files\e-PDF Converter and Creator v2.1

2008-10-28 11:05 --------- d-----w c:\documents and settings\LocalService\Application Data\Softland

2008-10-28 11:02 --------- d-----w c:\program files\Softland

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll

2008-10-08 13:43 20,120 ----a-w c:\windows\system32\dopdfmn6.dll

2008-10-08 13:43 18,072 ----a-w c:\windows\system32\dopdfmi6.dll

2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys

2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]

"Realtime Monitor"="c:\program files\CA\eTrust\InoculateIT\realmon.exe" [2001-07-19 374584]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.EXE]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Syrius Updater.lnk - c:\windows\Installer\{964A0E79-160F-4F5F-97D0-9C03CFA434FA}\Icon964A0E79.exe [2008-05-28 11264]

TSP Launcher.lnk - c:\program files\Nortel Networks\Shared Files\NTSPInit.exe [2008-10-31 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service

R2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-07 50176]

.

Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\At1.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At10.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At11.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At12.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At13.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At14.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At15.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At16.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At17.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At18.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At19.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At2.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At20.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At21.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At22.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At23.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At24.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At25.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At26.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At27.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At28.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At29.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At3.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At30.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At31.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At32.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At33.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At34.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At35.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At36.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At37.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At38.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At39.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At4.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At40.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At41.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-01 c:\windows\Tasks\At42.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-01 c:\windows\Tasks\At43.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-01 c:\windows\Tasks\At44.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-01 c:\windows\Tasks\At45.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-01 c:\windows\Tasks\At46.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-01 c:\windows\Tasks\At47.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-01 c:\windows\Tasks\At48.job

- c:\windows\system32\3Lktr31h.exe []

2008-12-02 c:\windows\Tasks\At49.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At5.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At50.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At51.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At52.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At53.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At54.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At55.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At56.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At57.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At58.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At59.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At6.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At60.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At61.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At62.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At63.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At64.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At65.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At66.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-01 c:\windows\Tasks\At67.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-01 c:\windows\Tasks\At68.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-01 c:\windows\Tasks\At69.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At7.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-01 c:\windows\Tasks\At70.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-01 c:\windows\Tasks\At71.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-01 c:\windows\Tasks\At72.job

- c:\windows\system32\Hf3p3g6h.exe []

2008-12-02 c:\windows\Tasks\At8.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

2008-12-02 c:\windows\Tasks\At9.job

- c:\windows\system32\Osvd07mq.exe [2008-11-03 10:29]

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-02 16:55:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-12-02 16:56:34

ComboFix-quarantined-files.txt 2008-12-02 16:56:32

ComboFix2.txt 2008-12-02 16:18:02

Pre-Run: 15,763,664,896 bytes free

Post-Run: 15,754,518,528 bytes free

254 --- E O F --- 2008-11-12 14:44:19

Once again, any help would be massively appreciated.

Thanks... Andy...

Link to post
Share on other sites

Here is a current hijackthis log as of about 10 mins ago...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:46:31, on 03/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\DWRCS.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\WINDOWS\LogWatNT.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\3Lktr31h.exe

C:\WINDOWS\system32\DWRCST.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Syrius Updater\SyriusUpdater.exe

C:\Program Files\Nortel Networks\Shared Files\NTSPInit.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office12\MSPUB.EXE

c:\program files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office12\MSPUB.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Syrius Updater.lnk = ?

O4 - Global Startup: TSP Launcher.lnk = C:\Program Files\Nortel Networks\Shared Files\NTSPInit.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC4DCF7-E7CD-409C-ACDA-2C8FA9AF65FE}: NameServer = 192.168.0.254

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.exe

O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 5237 bytes

Thanks.

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully

  2. If you don't understand something, stop and ask! Don't keep going on.

  3. Please do not run any other tools or scans whilst I am helping you

  4. Please continue to respond until I give you the "All Clear"

    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.

Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.

  • Click Continue at the disclaimer screen.

  • Once it has finished, two logs will open:

    • log.txt will be opened maximized.

    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.