jimhuertas Posted January 4, 2009 ID:44558 Share Posted January 4, 2009 Here are the three logs that have been requested.Thanks in advance for any and all advice!!mbam_log_2009_01_03__17_44_50_.txtActiveScan.txthijackthis.txtmbam_log_2009_01_03__17_44_50_.txtActiveScan.txthijackthis.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 4, 2009 Root Admin ID:44560 Share Posted January 4, 2009 Please DO NOT attach files unless requested. Please open each log and Copy/Paste it directly into your reply. Thanks. Link to post Share on other sites More sharing options...
jimhuertas Posted January 4, 2009 Author ID:44561 Share Posted January 4, 2009 Ok..sorry..Malwarebytes' Anti-Malware 1.31Database version: 1604Windows 5.1.2600 Service Pack 31/3/2009 5:44:50 PMmbam-log-2009-01-03 (17-44-50).txtScan type: Quick ScanObjects scanned: 58937Time elapsed: 1 minute(s), 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 7Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 9Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\licupj.dll (Trojan.Vundo) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{bab104c3-2646-411f-a975-702aa2164856} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bab104c3-2646-411f-a975-702aa2164856} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bab104c3-2646-411f-a975-702aa2164856} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\licupj.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\wxureewi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Jim Huertas\Local Settings\Temp\seneka3b76.tmp (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Jim Huertas\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Jim Huertas\Local Settings\Temporary Internet Files\Content.IE5\GD6N0D23\load[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\senekalkamktwh.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\senekayxseulal.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\senekaodhrhwhp.sys (Trojan.Agent) -> Delete on reboot.Active Scan;***********************************************************************************************************************************************************************************ANALYSIS: 2009-01-03 18:52:29PROTECTIONS: 1MALWARE: 2SUSPECTS: 1;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================AVG 7.5.552 7.5.552 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================03480216 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\$NtServicePackUninstall$\userinit.exe03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Jim Huertas\Desktop\Downloads\SDFix.exe[C:\Documents and Settings\Jim Huertas\Desktop\Downloads\SDFix.exe][sDFix\apps\Cghtme.exe]03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Jim Huertas\Desktop\Downloads\SDFix.exe[C:\Documents and Settings\Jim Huertas\Desktop\Downloads\SDFix.exe][sDFix\catchme.exe]03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Jim Huertas\Desktop\Downloads\ComboFix.exe[327882R2FWJFW\catchme.cfexe];===================================================================================================================================================================================SUSPECTSSent Location b;===================================================================================================================================================================================No C:\Program Files\BAE\BAE.dll b;===================================================================================================================================================================================VULNERABILITIESId Severity Description b;===================================================================================================================================================================================;===================================================================================================================================================================================HJTLogfile of Trend Micro HijackThis v2.0.2Scan saved at 6:53:24 PM, on 1/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\CyberLink\PCM4Everio\EverioService.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Metacafe\MetacafeAgent.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\a-squared Free\a2service.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\CyberLink\Shared Files\RichVideo.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\WTablet\Pen_TabletUser.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061005R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061005R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: (no name) - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - (no file)O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)O2 - BHO: (no name) - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file)O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dllO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdkun.exe] C:\WINDOWS\system32\kdkun.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exeO4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.0.70:4343/officescan/consol...ll/WinNTChk.cabO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.0.70:4343/officescan/consol...ll/setupini.cabO16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.0.70:4343/officescan/consol...stall/setup.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.0.70:4343/officescan/consol.../RemoveCtrl.cabO16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} (XMRADIO.XM_SystemProfiler) - http://xmro.xmradio.com/xstream/registrati.../xmprofiler.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{17557CB1-7C86-4050-B442-88B92A3AB675}: NameServer = 216.187.147.38,216.187.147.39O17 - HKLM\System\CCS\Services\Tcpip\..\{C0A40FB6-22CE-4C92-A11D-EEAA4DFE5282}: NameServer = 216.187.147.38,216.187.147.39O20 - AppInit_DLLs: licupj.dllO20 - Winlogon Notify: jkkIXNDw - jkkIXNDw.dll (file missing)O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 12121 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 4, 2009 Root Admin ID:44577 Share Posted January 4, 2009 Please run the following.Reconfigure Windows XP to show hidden files:To enable the viewing of Hidden files follow these steps: * Close all programs so that you are at your desktop. * Double-click on the My Computer icon. * Select the Tools menu and click Folder Options. * After the new window appears select the View tab. * Put a checkmark in the checkbox labeled Display the contents of system folders. * Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. * Remove the checkmark from the checkbox labeled Hide file extensions for known file types. * Remove the checkmark from the checkbox labeled Hide protected operating system files. * Press the Apply button and then the OK button and exit My Computer. * Now your computer is configured to show all hidden files. Then run the followingDownload and install CCleanerCCleaner Double-click on the downloaded file "ccsetup215.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner" Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and click on the Run Cleaner button on the bottom right side of the program.Click OK to any promptsStart HJT and do a Scan Only and place a check mark on the following entries.O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdkun.exe] C:\WINDOWS\system32\kdkun.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{17557CB1-7C86-4050-B442-88B92A3AB675}: NameServer = 216.187.147.38,216.187.147.39O17 - HKLM\System\CCS\Services\Tcpip\..\{C0A40FB6-22CE-4C92-A11D-EEAA4DFE5282}: NameServer = 216.187.147.38,216.187.147.39O20 - AppInit_DLLs: licupj.dllO20 - Winlogon Notify: jkkIXNDw - jkkIXNDw.dll (file missing)Then click on Fix checked then quit HJT and RESTART the computer.Then upload the following files (if they're still there, they may be gone already) for review herec:\windows\system32\licupj.dllc:\windows\system32\jkkIXNDw.dllC:\WINDOWS\system32\kdkun.exeYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location.Then run thisMalwarebytes' Anti-MalwareStart MalwareBytes AntiMalware Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThe RESTART the computer again and AFTER the restart run HJT Scan and Save log and post back all NEW logs. Link to post Share on other sites More sharing options...
jimhuertas Posted January 4, 2009 Author ID:44585 Share Posted January 4, 2009 Genius!!At least it looks like it!I did not recieve any additional "infections" in my last run.Here is the logs you requested!Thanks again! Let me know if you see anything else!The three files you requested that I upload were no longer on the machine.Malwarebytes' Anti-Malware 1.31Database version: 1604Windows 5.1.2600 Service Pack 31/3/2009 9:28:24 PMmbam-log-2009-01-03 (21-28-24).txtScan type: Quick ScanObjects scanned: 58421Time elapsed: 4 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)HJTLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:31:21 PM, on 1/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\CyberLink\PCM4Everio\EverioService.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Metacafe\MetacafeAgent.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\a-squared Free\a2service.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\CyberLink\Shared Files\RichVideo.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\WINDOWS\system32\WTablet\Pen_TabletUser.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061005R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061005R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: (no name) - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - (no file)O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)O2 - BHO: (no name) - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file)O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dllO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exeO4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.0.70:4343/officescan/consol...ll/WinNTChk.cabO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.0.70:4343/officescan/consol...ll/setupini.cabO16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.0.70:4343/officescan/consol...stall/setup.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.0.70:4343/officescan/consol.../RemoveCtrl.cabO16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} (XMRADIO.XM_SystemProfiler) - http://xmro.xmradio.com/xstream/registrati.../xmprofiler.CABO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 11707 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 4, 2009 Root Admin ID:44587 Share Posted January 4, 2009 I highly recommend that you remove Adobe Acrobar READER 7 and then install the latest version 9 if you need it.The older versions had code that was susceptible to attack from Malware.Also, you should upgrade IE6 to IE7 which has better protection than version 6 does.At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Spybot Search and DestroyDownload it from here. Just choose a mirror and off you go.Find here the tutorial on how to use Spybot properly hereInstall SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comThe windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Recommended Posts