Help - Search - Members - Calendar
Full Version: Never-ending Pop-ups
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Full Zombie
Oct 22 2007, 06:16 AM
Last night I started getting some annoying popups on my laptop (which were punching through my popup blocker), and today they're unstoppable! The popups only pop up when I've got my laptop connected to the internet. They show up usually about 30 seconds apart, if I close them or not. I updated my AdAware, ran it a few times just to be sure, and got the latest HiJackThis for a log. Here's what I see.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:38:07 AM, on 10/22/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\tsitra11.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe
C:\Program Files\?ecurity\w?nlogon.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\AVANTB~1\avant.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\ibm\Local Settings\Temporary Internet Files\Content.IE5\OA3EY455\HiJackThis_v2[1].exe

F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BCBB4F53-A790-D067-BB5C-F18A41832EE1} - C:\WINDOWS\System32\sabkcn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Pira] "C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [Mgrr] "C:\Program Files\?ecurity\w?nlogon.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

--
End of file - 3917 bytes
jurgenv
Oct 22 2007, 07:08 PM
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here
Apply the update, reboot, and post a fresh Hijack This log.
Full Zombie
Oct 23 2007, 02:13 AM
When I go to that link it tells me to install Service Pack 2 (I totally forgot that I didn't install it on this laptop after I bought it), but doesn't say anything about 1a. I tried to go ahead and just install SP2, and it downloaded but then freezes when it tries to install. I'm trying again, but the site says that it should take about 30 minutes, so I figured I'd make this post as an update in the meantime. Could my infection be preventing the update? I also can't access these forums on my laptop (the infected machine), but I can access every other website I've tried.

Edit: I restarted to try to install it again, and now the laptop is frozen cold at the Microsoft Windows XP "Windows is starting up..." screen.
jurgenv
Oct 23 2007, 04:11 PM
No you have to wait with SP2 untill the system is clean...


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Full Zombie
Oct 23 2007, 09:42 PM
That file does not exist. I get a 404 when I click the link or enter the address manually, and when I searched BleepingComputer.com's list of programs there was no combofix.exe present.

I did some research on my own and found another download for the program, and I ran it. It ran, restarted my computer, and gives me the message: 'SED' is not recognized as an internal or external command, operable program or batch file.

It doesn't do anything else, and if I try to run ANY program, including Adaware, it completely locks up my computer.

Are you sure this is what I should be doing? Because it seems to me like this is making the problem worse and worse.
Full Zombie
Oct 24 2007, 04:59 AM
O.. k.. a.. y.. After numerous restarts with no success, I looked all over Microsoft.com and found that I can't get 1a because it is nolonger supported. I found a mirror site and downloaded, and installed, Windows XP Service Pack 1a. After the restart from that, ComboFix was finally able to finish running, and now my computer is finally actually allowing me to run programs, and the popups have stopped. I know enough about viral infections however to realize that there's much more to fixing this problem.

ComboFix did not generate a log file though, so I don't have one to post. I've got to run out for a bit, so I don't have time just now to run HiJackThis, but I'll post a log of that soon, hopefully within the next few hours.
jurgenv
Oct 24 2007, 11:10 AM
Try this link:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Full Zombie
Oct 25 2007, 04:19 AM
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:36:21 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sv3965\svchost.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\KernelDrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVANTB~1\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\ibm\Local Settings\Temporary Internet Files\Content.IE5\AJAFC7KT\HiJackThis_v2[1].exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\10f6872bbc91a277e1a9f6fed17525ba\update\update.exe

F3 - REG:win.ini: load=C:\WINDOWS\sv3965\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3} - C:\WINDOWS\system32\iifebcy.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CCA54EC4-F71D-4735-8E0A-1CC82C500052} - C:\WINDOWS\System32\mllig.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [fc606473] rundll32.exe "C:\WINDOWS\System32\gjxatywx.dll",b
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c cd /d C:\ComboFix\ & Combobatch.bat
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Pira] "C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [Mgrr] "C:\Program Files\?ecurity\w?nlogon.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [f94mggfhfghodftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\ibm\LOCALS~1\Temp\winsto.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD44D9D0-2243-4DC6-9BB3-BC180D995C77}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F3F161-F8DD-45F8-9CBD-900D718A2B16}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O20 - Winlogon Notify: iifebcy - iifebcy.dll (file missing)
O20 - Winlogon Notify: Ksmntix - C:\WINDOWS\SYSTEM32\ksmntix.dll
O20 - Winlogon Notify: Mnbdiev - Mnbdiev.dll (file missing)
O20 - Winlogon Notify: Tetbvpe - tetbvpe.dll (file missing)
O21 - SSODL: AHnGixIyej - {FC6064DD-56CA-CE77-E65A-774AC7C63540} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

--
End of file - 6270 bytes
Full Zombie
Oct 25 2007, 05:40 AM
After three attempts I was finally able to get ComboFix to run and produce a log, but since I ran ComboFix I can now not use any internet browsing programs on the machine. So without any way to send information from that machine, I can not post a ComboFix log file, or any more HiJackThis log files.
jurgenv
Oct 25 2007, 02:52 PM
And if you transfer the log to the machine with internet connection? smile.gif
Full Zombie
Oct 25 2007, 07:57 PM
My PC, the one I'm writing this from, doesn't see the other computers on the network. It's been a problem for a while, and I've so far been unable to fix it, so I just accept that I can't transfer data that way. And my laptop has no 3.5 floppy drive. Luckily however I was able to get my internet connection to work for a little while by opening Microsoft Update through the Control Panel, and I ran HiJackThis and sent both logs to myself via email.

ComboFix Log:

ComboFix 07-10-23.2 - ibm 2007-10-25 0:12:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.80 [GMT -4:00]
Running from: C:\Documents and Settings\ibm\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
.
---- Previous Run -------
.
C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\ibm\My Documents\MBOLS~1
C:\Documents and Settings\ibm\My Documents\MBOLS~1\??mbols\
C:\Documents and Settings\ibm\My Documents\MBOLS~1\mmc.exe
C:\Documents and Settings\ibm\Start Menu\Programs\Outerinfo
C:\Documents and Settings\ibm\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\ibm\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ComPlus Applications\hoqeric4444.dll
C:\Program Files\ComPlus Applications\hoqeric83122.dll
C:\Program Files\ecurit~1
C:\Program Files\ecurit~1\w?nlogon.exe
C:\Program Files\ISM
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\ac1
C:\WINDOWS\system32\ac1\rwv12drv.exe
C:\WINDOWS\system32\afjfovui.exe
C:\WINDOWS\system32\bsxi.dll
C:\WINDOWS\system32\drivers\Anaq61.sys
C:\WINDOWS\system32\drivers\Bbst69.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\geuyblhg.dll
C:\WINDOWS\system32\gillm.bak1
C:\WINDOWS\system32\gillm.bak2
C:\WINDOWS\system32\gillm.ini
C:\WINDOWS\system32\gillm.ini2
C:\WINDOWS\system32\gillm.tmp
C:\WINDOWS\system32\iifebcy.dll
C:\WINDOWS\system32\kdwnf.exe
C:\WINDOWS\system32\kjodhlri.exe
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\mkjxrvgr.ini
C:\WINDOWS\system32\mllig.dll
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\oTt08e\oTt08e1099.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\qsvpekja.exe
C:\WINDOWS\system32\rgvrxjkm.dll
C:\WINDOWS\system32\RunOnce3.t__
C:\WINDOWS\system32\RunOnce3.tmp
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update177.exe
C:\WINDOWS\system32\update246.exe
C:\WINDOWS\system32\update285.exe
C:\WINDOWS\system32\update294.exe
C:\WINDOWS\system32\vp4
C:\WINDOWS\system32\vp4\dode83122.exe
C:\WINDOWS\system32\wnsintcc.exe
C:\WINDOWS\system32\zb2
C:\WINDOWS\Temp\436277.exe
C:\WINDOWS\Temp\440042.exe
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\tsitra11.exe
C:\WINDOWS\tsitra77.exe
C:\WINDOWS\tsitra801.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\winshow.exe
C:\WINDOWS\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ANAQ61
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_LANMANDRV
-------\LEGACY_MICROSOFT_INTERNET_EXPLORER
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\LEGACY_SYMAVC32
-------\DomainService
-------\kprof
-------\lanmandrv
-------\Microsoft Internet Explorer
-------\poof


-------\Anaq61




((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-24 22:42 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-24 03:09 <DIR> d-------- C:\WINDOWS\All Users
2007-10-24 02:20 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-24 02:20 <DIR> d-------- C:\WINDOWS\peernet
2007-10-24 01:13 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-10-24 00:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-24 00:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-23 22:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-23 22:54 <DIR> d-------- C:\WINDOWS\ehome
2007-10-23 22:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2007-10-23 21:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 21:48 84,544 --a------ C:\WINDOWS\system32\gjxatywx.dll
2007-10-23 17:01 <DIR> d-------- C:\WINDOWS\sv3965
2007-10-23 17:01 16,024 --a------ C:\WINDOWS\system32\qmogemap.exe
2007-10-23 01:38 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-10-23 01:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2007-10-22 22:36 16,024 --a------ C:\WINDOWS\system32\qmipejlf.exe
2007-10-22 22:04 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-22 18:23 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-10-22 18:23 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-22 18:17 35,840 --a------ C:\WINDOWS\system32\ssl.dat
2007-10-22 18:17 35,840 --a------ C:\WINDOWS\system32\KernelDrv.exe
2007-10-22 18:17 23,685 --a------ C:\WINDOWS\system32\kcopt.dll
2007-10-22 18:17 18,967 --a------ C:\WINDOWS\system32\ksvcl.dll
2007-10-22 18:17 10,240 --a------ C:\WINDOWS\system32\Dll.dll
2007-10-22 18:07 16,024 --a------ C:\WINDOWS\system32\qmpdnbmf.exe
2007-10-22 17:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avant Profiles
2007-10-22 17:37 44 --a------ C:\WINDOWS\system32\p2hhr.bat
2007-10-22 17:35 10,000 --a------ C:\WINDOWS\system32\S7dsf4g.dll
2007-10-22 17:35 10,000 --a------ C:\WINDOWS\system32\Dhgthfg.dll
2007-10-22 17:33 7,680 --a------ C:\WINDOWS\ie_update3r.exe
2007-10-22 03:23 <DIR> d-------- C:\Documents and Settings\ibm\Application Data\SpyGuardPro
2007-10-22 03:22 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-10-22 03:22 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-22 03:22 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-22 03:22 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-10-22 03:22 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-22 03:20 <DIR> d-------- C:\Temp
2007-10-21 18:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-21 18:33 <DIR> d--hs---- C:\WINDOWS\aWJt
2007-10-21 18:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-21 18:31 19,755,376 --a------ C:\aaw2007.exe
2007-10-21 18:30 1,939,926 --a------ C:\absetup.exe
2007-10-21 03:14 77,824 --a------ C:\MicroSofts.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 03:02 --------- d-----w C:\Program Files\Avant Browser
2007-09-15 04:39 --------- d-----w C:\Program Files\Simu
2007-08-31 08:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-26 05:19 --------- d-----w C:\Documents and Settings\ibm\Application Data\Viewpoint
2007-08-26 05:12 --------- d-----w C:\Documents and Settings\ibm\Application Data\acccore
2007-08-26 05:11 --------- d-----w C:\Program Files\Viewpoint
2007-08-26 05:11 --------- d-----w C:\Program Files\AIM6
2007-08-26 05:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2004-10-01 23:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\aWJt\uqLQ.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
C:\Program Files\ISM\BndDrive7.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 03:56 C:\WINDOWS\system32\tp4mon.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 00:24]
"KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" [2007-10-22 18:17]
"fc606473"="C:\WINDOWS\System32\gjxatywx.dll" [2007-10-23 21:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-24 05:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"Pira"="C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe" []
"ISMModule7"="C:\Program Files\ISM\ISMModule7.exe" []
"Mgrr"="C:\Program Files\?ecurity\w?nlogon.exe" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Ksmntix]
Ksmntix.dll 2001-08-18 08:00 62464 C:\WINDOWS\system32\Ksmntix.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Mnbdiev]
Mnbdiev.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Tetbvpe]
tetbvpe.dll

S3 WlanUIB;iodata 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 00:15:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?:?w?????????????????4@?????????D????4@?d???D???????d????<?w0???B;?wl?@?t?@?@7a?l?@?????????????????????????????????????????????????v??w ??w????B;?wj=?w?????4@??????>?w????l?@????????w????t?@???a?????????l?@?l?@?????MB?w????t?@?????l?@?8?@?l?@????s???????????

scanning hidden files ...

C:\WINDOWS\system32\ntos.exe 262144 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-10-25 0:16:58
.
--- E O F ---





HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:58:57 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\KernelDrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\AVANTB~1\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ibm\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [fc606473] rundll32.exe "C:\WINDOWS\System32\gjxatywx.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Pira] "C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [Mgrr] "C:\Program Files\?ecurity\w?nlogon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD44D9D0-2243-4DC6-9BB3-BC180D995C77}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F3F161-F8DD-45F8-9CBD-900D718A2B16}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O20 - Winlogon Notify: Ksmntix - C:\WINDOWS\SYSTEM32\ksmntix.dll
O20 - Winlogon Notify: Mnbdiev - Mnbdiev.dll (file missing)
O20 - Winlogon Notify: Tetbvpe - tetbvpe.dll (file missing)
O21 - SSODL: AHnGixIyej - {FC6064DD-56CA-CE77-E65A-774AC7C63540} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

--
End of file - 5336 bytes
jurgenv
Oct 25 2007, 08:36 PM
* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\system32\gjxatywx.dll
C:\WINDOWS\system32\qmogemap.exe
C:\WINDOWS\system32\qmipejlf.exe
C:\WINDOWS\system32\qmpdnbmf.exe
C:\WINDOWS\system32\Dhgthfg.dll
C:\WINDOWS\ie_update3r.exe

Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply with a new hijackthis log.
Full Zombie
Oct 25 2007, 10:14 PM
MoveIt Log:

DllUnregisterServer procedure not found in C:\WINDOWS\system32\gjxatywx.dll
C:\WINDOWS\system32\gjxatywx.dll NOT unregistered.
C:\WINDOWS\system32\gjxatywx.dll moved successfully.
C:\WINDOWS\system32\qmogemap.exe moved successfully.
C:\WINDOWS\system32\qmipejlf.exe moved successfully.
C:\WINDOWS\system32\qmpdnbmf.exe moved successfully.
C:\WINDOWS\system32\Dhgthfg.dll NOT unregistered.
C:\WINDOWS\system32\Dhgthfg.dll moved successfully.
C:\WINDOWS\ie_update3r.exe moved successfully.

Created on 10/25/2007 16:35:00





HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:37:10 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\KernelDrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVANTB~1\avant.exe
C:\Documents and Settings\ibm\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [fc606473] rundll32.exe "C:\WINDOWS\System32\gjxatywx.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Pira] "C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [Mgrr] "C:\Program Files\?ecurity\w?nlogon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD44D9D0-2243-4DC6-9BB3-BC180D995C77}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F3F161-F8DD-45F8-9CBD-900D718A2B16}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O20 - Winlogon Notify: Ksmntix - C:\WINDOWS\SYSTEM32\ksmntix.dll
O20 - Winlogon Notify: Mnbdiev - Mnbdiev.dll (file missing)
O20 - Winlogon Notify: Tetbvpe - tetbvpe.dll (file missing)
O21 - SSODL: AHnGixIyej - {FC6064DD-56CA-CE77-E65A-774AC7C63540} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

--
End of file - 5270 bytes
jurgenv
Oct 26 2007, 03:48 PM
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Full Zombie
Oct 27 2007, 01:39 AM
As suggested by the program, I double-clicked the registry file dnsbak.reg in the Fixwareout folder, but it doesn't seem to have improved my problems with connecting to the internet. Here are the logs:

Fixwareout Log:

Username "ibm" - 10/26/2007 20:29:48 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.134 85.255.112.140" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}
"nameserver"="85.255.113.134,85.255.112.140" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD44D9D0-2243-4DC6-9BB3-BC180D995C77}
"nameserver"="85.255.113.134,85.255.112.140" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E0F3F161-F8DD-45F8-9CBD-900D718A2B16}
"nameserver"="85.255.113.134,85.255.112.140" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD44D9D0-2243-4DC6-9BB3-BC180D995C77}
"DhcpNameServer"="85.255.113.134,85.255.112.140" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E0F3F161-F8DD-45F8-9CBD-900D718A2B16}
"DhcpNameServer"="85.255.113.134,85.255.112.140" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E40EFDA9-6448-4634-91CC-7DC630755BCA}
"DhcpNameServer"="85.255.113.134,85.255.112.140" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"KernelDrv.exe"="C:\\WINDOWS\\System32\\KernelDrv.exe"
"fc606473"="rundll32.exe \"C:\\WINDOWS\\System32\\gjxatywx.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"Pira"="\"C:\\DOCUME~1\\ibm\\MYDOCU~1\\MBOLS~1\\mmc.exe\" -vt yazb"
"ISMModule7"="\"C:\\Program Files\\ISM\\ISMModule7.exe\""
"Mgrr"="\"C:\\Program Files\\?ecurity\\w?nlogon.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~






HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:37:38 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\KernelDrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ibm\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [fc606473] rundll32.exe "C:\WINDOWS\System32\gjxatywx.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Pira] "C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [Mgrr] "C:\Program Files\?ecurity\w?nlogon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD44D9D0-2243-4DC6-9BB3-BC180D995C77}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F3F161-F8DD-45F8-9CBD-900D718A2B16}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O20 - Winlogon Notify: Ksmntix - C:\WINDOWS\SYSTEM32\Ksmntix.dll
O20 - Winlogon Notify: Mnbdiev - Mnbdiev.dll (file missing)
O20 - Winlogon Notify: Tetbvpe - tetbvpe.dll (file missing)
O21 - SSODL: AHnGixIyej - {FC6064DD-56CA-CE77-E65A-774AC7C63540} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

--
End of file - 5087 bytes
jurgenv
Oct 27 2007, 11:43 AM
* I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!.

* Please open hijackthis and put a check next to the following:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [fc606473] rundll32.exe "C:\WINDOWS\System32\gjxatywx.dll",b
O4 - HKCU\..\Run: [Pira] "C:\DOCUME~1\ibm\MYDOCU~1\MBOLS~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Mgrr] "C:\Program Files\?ecurity\w?nlogon.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD44D9D0-2243-4DC6-9BB3-BC180D995C77}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F3F161-F8DD-45F8-9CBD-900D718A2B16}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B8EC79A-D092-423A-9C8A-CEA3EF0B7C21}: NameServer = 85.255.113.134,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.140
O20 - Winlogon Notify: Ksmntix - C:\WINDOWS\SYSTEM32\Ksmntix.dll
O20 - Winlogon Notify: Mnbdiev - Mnbdiev.dll (file missing)
O20 - Winlogon Notify: Tetbvpe - tetbvpe.dll (file missing)
O21 - SSODL: AHnGixIyej - {FC6064DD-56CA-CE77-E65A-774AC7C63540} - (no file)

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Delete the following files with OTMoveIt:

C:\WINDOWS\System32\KernelDrv.exe
C:\WINDOWS\System32\gjxatywx.dll
C:\WINDOWS\SYSTEM32\Ksmntix.dll

* Go to http://www.virustotal.com/ and upload the following file:

C:\WINDOWS\system32\ntos.exe

* Post the report of it here with the logs from OTMoveIt, combofix and hijackthis.
Full Zombie
Oct 28 2007, 05:20 AM
OTMoveIt:

c:\windows\system32\kerneldrv.exe moved successfully.
File/Folder c:\windows\system32\gjxatywx.dll not found.
LoadLibrary failed for c:\windows\system32\ksmntix.dll
c:\windows\system32\ksmntix.dll NOT unregistered.
File move failed. c:\windows\system32\ksmntix.dll scheduled to be moved on reboot.

Created on 10/27/2007 23:24:37



ComboFix:

ComboFix 07-10-23.2 - ibm 2007-10-27 23:53:04.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.99 [GMT -4:00]
Running from: C:\Documents and Settings\ibm\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-24 22:42 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-24 03:09 <DIR> d-------- C:\WINDOWS\All Users
2007-10-24 02:20 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-24 02:20 <DIR> d-------- C:\WINDOWS\peernet
2007-10-24 01:13 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-10-24 00:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-24 00:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-23 22:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-23 22:54 <DIR> d-------- C:\WINDOWS\ehome
2007-10-23 22:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2007-10-23 21:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 17:01 <DIR> d-------- C:\WINDOWS\sv3965
2007-10-23 01:38 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-10-23 01:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2007-10-22 22:04 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-22 18:23 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-10-22 18:23 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-22 18:17 35,840 --a------ C:\WINDOWS\system32\ssl.dat
2007-10-22 18:17 10,240 --a------ C:\WINDOWS\system32\Dll.dll
2007-10-22 18:17 5,633 --a------ C:\WINDOWS\system32\kcopt.dll
2007-10-22 18:17 197 --a------ C:\WINDOWS\system32\ksvcl.dll
2007-10-22 17:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avant Profiles
2007-10-22 17:37 44 --a------ C:\WINDOWS\system32\p2hhr.bat
2007-10-22 17:35 10,000 --a------ C:\WINDOWS\system32\S7dsf4g.dll
2007-10-22 03:23 <DIR> d-------- C:\Documents and Settings\ibm\Application Data\SpyGuardPro
2007-10-22 03:22 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-10-22 03:22 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-22 03:22 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-22 03:22 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-10-22 03:22 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-22 03:20 <DIR> d-------- C:\Temp
2007-10-21 18:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-21 18:33 <DIR> d--hs---- C:\WINDOWS\aWJt
2007-10-21 18:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-21 18:31 19,755,376 --a------ C:\aaw2007.exe
2007-10-21 18:30 1,939,926 --a------ C:\absetup.exe
2007-10-21 03:14 77,824 --a------ C:\MicroSofts.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 04:38 --------- d-----w C:\Program Files\Avant Browser
2007-09-15 04:39 --------- d-----w C:\Program Files\Simu
2007-08-31 08:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2004-10-01 23:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\aWJt\uqLQ.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-10-25_ 0.15.56.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 06:14:10 69,824 ----a-w C:\WINDOWS\nwan.dat
+ 2004-08-04 06:14:10 69,856 ----a-w C:\WINDOWS\nwan.dat
- 2007-10-25 04:09:27 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-28 03:30:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-25 04:09:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-28 03:30:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-25 04:09:27 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-28 03:30:20 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 03:56 C:\WINDOWS\system32\tp4mon.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 00:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-24 05:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"ISMModule7"="C:\Program Files\ISM\ISMModule7.exe" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Ksmntix]
Ksmntix.dll

S3 WlanUIB;iodata 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 23:55:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?:?w?????????????????4@?????????D????4@?d???D???????d????<?w0???B;?wl?@?t?@?@7a?l?@?????????????????????????????????????????????????v??w ??w????B;?wj=?w?????4@??????>?w????l?@????????w????t?@???a?????????l?@?l?@?????MB?w????t?@?????l?@?8?@?l?@????s???????????

scanning hidden files ...

C:\WINDOWS\system32\ntos.exe 373760 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-10-27 23:57:20
C:\ComboFix2.txt ... 2007-10-25 00:17
.
--- E O F ---



HiJackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:18:08 AM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\ibm\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O20 - Winlogon Notify: Ksmntix - Ksmntix.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

--
End of file - 3790 bytes




And when I went to upload that file I got: "0 bytes size received / Se ha recibido un archivo vacio"
jurgenv
Oct 28 2007, 12:24 PM
Zip tha file with winzip or winrar and then upload the archive. smile.gif
Full Zombie
Oct 28 2007, 09:19 PM
Are you sure that it is "C:\WINDOWS\system32\ntos.exe?" I went looking for the spell to zip it, and I can't find it in that folder, or anywhere else on my computer. I can find a lot of ntoskrnl files in various folders, though.
jurgenv
Oct 28 2007, 09:27 PM
And if you use the search function in windows XP?
Full Zombie
Oct 28 2007, 10:29 PM
When I couldn't find the file manually I used the search function, looking for any file containing "ntos," and all I found was one NTOSBOOT-B00DFAAD.pf file and a long list of ntoskrnl files. One of the ntoskrnl file is in C:\WINDOWS\system32\, so I did a little looking on my own and found a number of sources stating that ntoskrnl is a normal Windows file that I need to run my system, so that can't be the file you need, can it?

So the simple answer is: Yes, I used Search. No, there is no copy of ntos.exe on my computer that I can find.
jurgenv
Oct 28 2007, 10:38 PM
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Full Zombie
Oct 29 2007, 04:38 AM
DrWeb log:

ntos.exe;c:\windows\system32;Trojan.Proxy.2071;Deleted.;
S7dsf4g.dll;C:\WINDOWS\system32;Trojan.DownLoader.35873;Deleted.;
3D.tmp;C:\;Trojan.DownLoader.35855;Deleted.;
5.tmp;C:\;Trojan.Proxy.2359;Deleted.;
56.tmp;C:\;Trojan.DownLoader.35855;Deleted.;
mmc.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\ibm\My Documents\MBOLS~1;Adware.MediaTicket;Moved.;
Yazzle1549OinAdmin.exe.vir\data001;C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1549OinAdmin.exe.vir;Adware.MediaTicket.origin;;
Yazzle1549OinAdmin.exe.vir\data002;C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1549OinAdmin.exe.vir;Trojan.PurityAd.origin;;
Yazzle1549OinAdmin.exe.vir;C:\qoobox\Quarantine\C\Program Files\Common Files;Archive contains infected objects;Moved.;
Yazzle1552OinAdmin.exe.vir;C:\qoobox\Quarantine\C\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
hoqeric4444.dll.vir;C:\qoobox\Quarantine\C\Program Files\ComPlus Applications;Adware.Ttc;Incurable.Moved.;
hoqeric83122.dll.vir;C:\qoobox\Quarantine\C\Program Files\ComPlus Applications;Adware.Ttc;Incurable.Moved.;
ISMPack7.exe.vir;C:\qoobox\Quarantine\C\Program Files\ISM2;Adware.SearchAid.origin;Incurable.Moved.;
tsitra1000106.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.31817;Deleted.;
tsitra11.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.31817;Deleted.;
tsitra77.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.31817;Deleted.;
tsitra801.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.31817;Deleted.;
winshow.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.Click.4740;Deleted.;
afjfovui.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
bsxi.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Adware.ClickSpring.origin;Incurable.Moved.;
geuyblhg.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.23;Deleted.;
kjodhlri.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
koos.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Sklog;Deleted.;
poof.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.NtRootKit.218;Deleted.;
qsvpekja.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
update176.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.9287;Deleted.;
update177.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.9341;Deleted.;
update246.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.162;Deleted.;
update285.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.9325;Deleted.;
update294.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.9421;Deleted.;
_svchost.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoader.35262;Deleted.;
~.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoader.35262;Deleted.;
rwv12drv.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\ac1;Trojan.DownLoader.35855;Deleted.;
Anaq61.sys.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.NtRootKit.414;Deleted.;
Bbst69.sys.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.NtRootKit.414;Deleted.;
runtime2.sys.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.NtRootKit.422;Deleted.;
secdrv.sys.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\drivers;BackDoor.Bulknet;Deleted.;
oTt08e1099.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\oTt08e;Trojan.DownLoader.24715;Deleted.;
440042.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\Temp;Trojan.DownLoader.35855;Deleted.;
A0033815.sys;C:\System Volume Information\_restore{69D55958-FC8A-4EB9-9088-CAE96416DCE1}\RP148;Trojan.NtRootKit.414;Deleted.;
A0035898.sys;C:\System Volume Information\_restore{69D55958-FC8A-4EB9-9088-CAE96416DCE1}\RP148;Trojan.Spambot.2439;Deleted.;
A0035956.exe;C:\System Volume Information\_restore{69D55958-FC8A-4EB9-9088-CAE96416DCE1}\RP148;Trojan.Proxy.2359;Deleted.;
A0035972.exe;C:\System Volume Information\_restore{69D55958-FC8A-4EB9-9088-CAE96416DCE1}\RP149;Trojan.Packed.155;Deleted.;
A0037032.exe;C:\System Volume Information\_restore{69D55958-FC8A-4EB9-9088-CAE96416DCE1}\RP151;Trojan.Proxy.2071;Deleted.;
A0037033.dll;C:\System Volume Information\_restore{69D55958-FC8A-4EB9-9088-CAE96416DCE1}\RP151;Trojan.DownLoader.35873;Deleted.;
nwan.dat;C:\WINDOWS;Trojan.Proxy.origin;Incurable.Moved.;
ie_update3r.exe;C:\_OTMoveIt\MovedFiles\WINDOWS;Trojan.DownLoader.35262;Deleted.;
Dhgthfg.dll;C:\_OTMoveIt\MovedFiles\WINDOWS\system32;Trojan.DownLoader.35872;Deleted.;
ksmntix.dll;C:\_OTMoveIt\MovedFiles\WINDOWS\system32;Trojan.Inject.398;Deleted.;



New HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:37:33 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\ibm\Desktop\HiJackThis_v2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O20 - Winlogon Notify: Ksmntix - Ksmntix.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

--
End of file - 3600 bytes
jurgenv
Oct 29 2007, 12:52 PM
Can I see a new hijackthis log with the newer version of hijackthis? smile.gif (version 2.0.2)
Full Zombie
Oct 29 2007, 11:12 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:43 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\aim6\services\SOFTWA~1\VER2_1~1\AOLRetC.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOLOCP~1\AIM\Storage\ALLUSE~1\SUDS_B~1\CACHE\42200~1.4\aolsetup.exe
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4220\setup.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\ibm\Desktop\HiJackThis_v2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O20 - Winlogon Notify: Ksmntix - Ksmntix.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3931 bytes
jurgenv
Oct 29 2007, 11:15 PM
* Please open hijackthis and put a check next to the following:

O20 - Winlogon Notify: Ksmntix - Ksmntix.dll (file missing)

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, tell me how everything is working.
Full Zombie
Oct 30 2007, 12:08 AM
Here's my HJT log, after following those steps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:31 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\ibm\Desktop\HiJackThis_v2.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISMModule7] "C:\Program Files\ISM\ISMModule7.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146894552
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189146879240
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4219 bytes
jurgenv
Oct 30 2007, 12:18 AM
QUOTE(jurgenv @ Oct 30 2007, 12:15 AM) *
* Please open hijackthis and put a check next to the following:

O20 - Winlogon Notify: Ksmntix - Ksmntix.dll (file missing)

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, tell me how everything is working.

I think you forgot this step. wink.gif
Full Zombie
Oct 30 2007, 01:17 AM
Everything seems to be working fine, but that doesn't mean that it is working fine. I posted the HiJackThis log so that you can tell me if it looks fine.
jurgenv
Oct 30 2007, 01:18 AM
Your log looks clean but I need confirmation from you. wink.gif
Full Zombie
Oct 30 2007, 01:27 AM
Well if the log is clean then I guess I'm all fixed. Thanks for the help.
jurgenv
Oct 30 2007, 01:38 AM
It look s clean, you have to tell me if everything is running back to normal again, so if you still have pop-ups or so, we can always help you. smile.gif
LS CalamityJane
Nov 15 2007, 01:48 AM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.