Member Panel

ehn · 01:19 PM

Hello - I am getting popups from 888.com, partypoker and others.
Please help.

[Mod Edit] - Moved to HiJackThis! Log forum

Pancake

This will help to identify any malware on your system.
Please download Combofix from HERE or HERE

Save ComboFix to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

ehn

Here are new logs from Combofix and Hijackthis.

Pancake

Let me know if this helps.I cant see any more malware.

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::
File::
C:\WINDOWS\Fonts\LOWP____.FOT

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

ehn

Here are the new Combofix and Hijackhtis logs:

ComboFix 07-11-08.3 - sb 2007-10-20 20:42:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.234 [GMT 2:00]
Running from: C:\Documents and Settings\sb\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\sb\Skrivebord\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\Fonts\LOWP____.FOT
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Fonts\LOWP____.FOT
.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.
2007-11-18 20:53 <DIR> d-------- C:\Programmer\Zamaan's Software
2007-11-13 07:24 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-12 15:50 <DIR> d-------- C:\Programmer\Lavasoft
2007-11-12 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-10 16:10 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-03 13:06 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-11-03 13:03 <DIR> d-------- C:\Programmer\SuperAdBlocker.com
2007-11-03 13:03 <DIR> d-------- C:\Documents and Settings\sb\Application Data\SuperAdBlocker.com
2007-11-03 10:11 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-03 10:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-03 10:11 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-03 10:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-03 10:11 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-03 10:11 2,508 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 14:47 19,968 --a------ C:\WINDOWS\system32\drivers\mxnic.sys
2007-10-27 14:47 19,968 --a--c--- C:\WINDOWS\system32\dllcache\mxnic.sys
2007-10-27 06:32 <DIR> d-------- C:\Gammel Computer
2007-10-23 08:13 <DIR> d-------- C:\Programmer\K-Lite Codec Pack
2007-10-22 10:52 <DIR> d-------- C:\Programmer\ffdshow
2007-10-22 10:52 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-22 10:51 <DIR> d-------- C:\Programmer\Mp4 Player
2007-10-22 10:51 36 --a------ C:\WINDOWS\system32\m4p.dat
2007-10-12 06:46 <DIR> d-------- C:\Servicegrad1
2007-10-12 06:45 144,734 --a------ C:\SERVICEG.zip
2007-10-10 11:13 <DIR> d-------- C:\Programmer\Web Interactive Communicator
2007-10-10 11:13 <DIR> d-------- C:\Programmer\Fælles filer\Conference Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-20 14:01 --------- d-----w C:\Programmer\DYMO Label
2007-11-12 14:49 --------- d-----w C:\Programmer\Fælles filer\Wise Installation Wizard
2007-10-04 11:56 --------- d-----w C:\Programmer\Clifford Thames Limited
2007-10-03 03:20 --------- d-----w C:\Programmer\NewView
2007-10-01 17:36 --------- d-----w C:\Programmer\MSXML 6.0
2007-10-01 17:34 --------- d-----w C:\Programmer\MSBuild
2007-10-01 17:29 --------- d-----w C:\Programmer\Reference Assemblies
2007-10-01 17:27 --------- d-----w C:\Programmer\Windows Media Connect 2
2007-09-26 09:21 --------- d-----w C:\Programmer\DocBackupJRE
2007-09-26 09:21 --------- d-----w C:\Programmer\DocBackupAC
2007-09-26 09:19 --------- d-----w C:\Programmer\MsgPopupEN
2007-09-21 09:40 --------- d--h--w C:\Programmer\InstallShield Installation Information
2007-09-18 12:42 --------- d-----w C:\Documents and Settings\sb\Application Data\Logitech
2007-09-18 12:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-09-18 12:41 --------- d-----w C:\Programmer\Fælles filer\Logitech
2007-09-18 11:20 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2007-09-18 11:20 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2007-09-18 11:19 --------- d-----w C:\Programmer\Logitech
2007-09-18 11:19 --------- d-----w C:\Documents and Settings\sb\Application Data\InstallShield
2007-09-18 11:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-09-18 05:42 --------- d-----w C:\Programmer\Fælles filer\Adobe
2007-09-16 06:40 --------- d-----w C:\Programmer\BHPS
2007-09-16 06:39 --------- d-----w C:\Programmer\Fælles filer\InstallShield
2007-09-16 06:38 1,127,424 ----a-w C:\WINDOWS\system32\GEAR32PD.DLL
2007-09-16 06:38 --------- d-----w C:\Programmer\Fælles filer\BHPS
2007-09-16 06:37 --------- d-----w C:\Programmer\Java
2007-09-16 06:23 83,208 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-16 06:23 73,496 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-16 06:23 --------- d-----w C:\Programmer\Symantec
2007-09-16 06:23 --------- d-----w C:\Programmer\Fælles filer\Symantec Shared
2007-09-16 06:23 --------- d-----w C:\Documents and Settings\sb\Application Data\Symantec
2007-09-16 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-16 04:36 --------- d-----w C:\Programmer\MSXML 4.0
2007-09-15 21:03 --------- d-----w C:\Programmer\Microsoft.NET
2007-09-15 20:58 --------- d-----w C:\Programmer\Symantec_Client_Security
2007-09-15 20:34 --------- d-----w C:\Programmer\Fælles filer\Java
2007-09-15 20:23 --------- d-----w C:\Programmer\Fælles filer\SpeechEngines
2007-09-15 20:23 --------- d-----w C:\Programmer\Fælles filer\ODBC
2007-09-15 19:50 --------- d-----w C:\Programmer\Analog Devices
2007-09-15 19:47 --------- d-----w C:\Programmer\Intel
2007-09-15 19:40 --------- d-----w C:\Programmer\microsoft frontpage
2007-09-15 19:39 --------- d-----w C:\Programmer\Onlinetjenester
2007-09-15 19:38 --------- d-----w C:\Programmer\Fælles filer\Tjenester
2007-09-15 19:38 --------- d-----w C:\Programmer\Fælles filer\MSSoap
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-623A-11D4-BCDB-005004131777} REG_SZ ]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-623A-11D4-BCDB-005004131777}]
2007-07-05 17:23 188416 --a------ C:\Programmer\Web Interactive Communicator\VgIEHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 15:28]
"SoundMAX"="C:\Programmer\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 08:42]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 08:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 08:07]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_ 02\bin\jusched.exe" [2007-07-12 03:00]
"Adobe Reader Speed Launcher"="C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe " [2002-07-30 10:35]
"zBrowser Launcher"="C:\Programmer\Logitech\iTouch\iTouch.ex e" [2004-03-18 08:33]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 C:\WINDOWS\KHALMNPR.Exe]
"newAPVPR_Notify"="C:\Documents and Settings\sb\Skrivebord\CommandNotifier.exe" [2007-09-17 06:40]
"BHR"="C:\Programmer\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [2006-10-24 22:14]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-26 16:53]
"MSMSGS"="C:\Programmer\Messenger\msmsgs.exe" [2004-10-13 17:24]
"Mp4 Player"="C:\Programmer\Mp4 Player\mp4Player.exe" [2007-09-19 14:00]
C:\Documents and Settings\sb\Menuen Start\Programmer\Start\
Genvej til START.lnk - C:\Documents and Settings\sb\Skrivebord\START.APR [2007-09-18 07:09:16]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Logitech SetPoint.lnk - C:\Programmer\Logitech\SetPoint\SetPoint.exe [2007-09-18 12:19:26]
MsgPopup.lnk - C:\Programmer\MsgPopupEN\MsgPopup.exe [2004-08-23 22:12:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 10:01 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""
R2 Dracar Distribution Service .Net

racar Distribution Service .Net;c:\dracar\bin\serverupdateservice.exe
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepK E.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
R3 MDNMirrorDriver;MDNMirrorDriver;C:\WINDOWS\system3 2\DRIVERS\MDNMirrorDriver.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Programmer\SuperAdBlocker .com\Super Ad Blocker\SABKUTIL.sys
S3 DracarRegGac

racarRegGac;C:\Dracar\Util\srvany.ex e
.
************************************************** ************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 20:45:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-11-08 20:46:25
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51:56, on 20-11-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\pcAnywhere\awhost32.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\dracar\bin\serverupdateservice.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmer\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Documents and Settings\sb\Skrivebord\CommandNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Mp4 Player\mp4Player.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\MsgPopupEN\MsgPopup.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sb\Skrivebord\Hijack\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Citroen Danmark
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: CompanionHelper Class - {00000000-623A-11D4-BCDB-005004131777} - C:\Programmer\Web Interactive Communicator\VgIEHelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmer\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [newAPVPR_Notify] C:\Documents and Settings\sb\Skrivebord\CommandNotifier.exe
O4 - HKLM\..\Run: [BHR] C:\Programmer\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mp4 Player] "C:\Programmer\Mp4 Player\mp4Player.exe" hmw
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Genvej til START.lnk = C:\Documents and Settings\sb\Skrivebord\START.APR
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MsgPopup.lnk = C:\Programmer\MsgPopupEN\MsgPopup.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://public.service.citroen.com
O15 - Trusted Zone: PORTAIL AC
O15 - Trusted Zone: http://estim.citroen.inetpsa.com
O15 - Trusted Zone: http://estim.peugeot.inetpsa.com
O15 - Trusted Zone: http://networkservice.citroen.inetpsa.com
O15 - Trusted Zone: http://public.service.citroen.inetpsa.com
O15 - Trusted Zone: http://public.servicebox.peugeot.inetpsa.com
O15 - Trusted Zone: http://service.citroen.inetpsa.com
O15 - Trusted Zone: http://servicebox.peugeot.inetpsa.com
O15 - Trusted Zone: PORTAIL AP
O16 - DPF: {14B1C266-7BC8-46AC-8E3D-5828F52B7506} (CACSecurity.SecurityClass) - http://katalog.onlineautodele.dk/CACSecurity.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Programmer\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Dracar Distribution Service .Net - - c:\dracar\bin\serverupdateservice.exe
O23 - Service: DracarRegGac - Unknown owner - C:\Dracar\Util\srvany.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6586 bytes

Pancake

How are things now.? Still getting popups.

Member Panel

Sponsors and Ads

Live Tag Cloud