Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » HijackThis newbie but need some help on trojan/malware issues

[Fixed] Hijackthis! Logs - HijackThis newbie but need some help on trojan/malware issues posted in the Security & Safety forums; Hi all. I have never used HiJackThis before but below is a scan. Having some trojan/malware issues. Any information anyone can give is greatly appreciated. I have run Spy Sweeper, ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 02-23-2008
smarley's Avatar
Bronze Member
  
Join Date: Feb 2008
Posts: 6
PC Experience: Some Experience
smarley - See this Members User comments on their Profile page
Default HijackThis newbie but need some help on trojan/malware issues
Hi all. I have never used HiJackThis before but below is a scan. Having some trojan/malware issues. Any information anyone can give is greatly appreciated.
I have run Spy Sweeper, Panda AV, and RegCure but still getting some pop-ups and other items going on.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:52:21 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files\Lexmark 5300 Series\lxdkamon.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkser v.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Marley\Desktop\HiJackThis_v2.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\psimreal.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - (no file)
O2 - BHO: (no name) - {340B73C1-1A8E-41E9-A045-ABAF74233086} - C:\WINDOWS\system32\iifef.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\s wg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe " -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdkmon.exe] "C:\Program Files\Lexmark 5300 Series\lxdkmon.exe"
O4 - HKLM\..\Run: [lxdkamon] "C:\Program Files\Lexmark 5300 Series\lxdkamon.exe"
O4 - HKLM\..\Run: [Lexmark 5300 Series Fax Server] "C:\Program Files\Lexmark 5300 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [7c00cdb3] rundll32.exe "C:\WINDOWS\system32\ligbetiu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179596415040
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179796079314
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://interact.ccsd.net/ClientDownloads/fcplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O20 - Winlogon Notify: tuvwuut - tuvwuut.dll (file missing)
O21 - SSODL: zip - {0015a8f0-965c-41a9-b3df-6ea65b73f378} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkse rv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 11325 bytes
  #2  
Old 02-24-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,055
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: HijackThis newbie but need some help on trojan/malware issues
You have a couple of trojans to remove...


Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post that log in your next reply.

=========================================

Please download Combofix from any of the links below, and save it to your desktop. For further information regarding this download you can see this on this Information Page

Combofix Link 1
Combofix Link 2
Combofix Link 3

**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 02-24-2008
smarley's Avatar
Bronze Member
  
Join Date: Feb 2008
Posts: 6
PC Experience: Some Experience
smarley - See this Members User comments on their Profile page
Default Re: HijackThis newbie but need some help on trojan/malware issues
First off...Thanks for helping me. Below are the scans you asked for. I will tell you after running the sdfix I am still having pop-ups as soon as i fire up the internet though.

HiJackThis report:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:49, on 2008-02-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkser v.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\ApvxdWin.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files\Lexmark 5300 Series\lxdkamon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Panda Security\Panda Antivirus 2008\avciman.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\psimreal.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Marley\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\s wg.dll
O2 - BHO: (no name) - {CF560088-184B-4407-B79D-A4F108736C38} - C:\WINDOWS\system32\iifef.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe " -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdkmon.exe] "C:\Program Files\Lexmark 5300 Series\lxdkmon.exe"
O4 - HKLM\..\Run: [lxdkamon] "C:\Program Files\Lexmark 5300 Series\lxdkamon.exe"
O4 - HKLM\..\Run: [Lexmark 5300 Series Fax Server] "C:\Program Files\Lexmark 5300 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179596415040
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179796079314
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://interact.ccsd.net/ClientDownloads/fcplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O20 - Winlogon Notify: tuvwuut - tuvwuut.dll (file missing)
O21 - SSODL: zip - {0015a8f0-965c-41a9-b3df-6ea65b73f378} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkse rv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 11246 bytes


SDFix report:



SDFix: Version 1.144
Run by Marley on 2008-02-23 at 16:21
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Checking Files:
No Trojan Files Found



Removing Temp Files...
ADS Check:


Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 16:33:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\ \system32\\sessmgr.exe:*isabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hexacto Games\\Lemonade Tycoon\\Lemonade.exe"="C:\\Program Files\\Hexacto Games\\Lemonade Tycoon\\Lemonade.exe:*:Enabled:Lemonade"
"C:\\Program Files\\Yahoo! Games\\Lemonade Tycoon 2\\Lemonade2.exe"="C:\\Program Files\\Yahoo! Games\\Lemonade Tycoon 2\\Lemonade2.exe:*:Enabled:Lemonade2"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\lxdkcoms.exe"="C:\\WINDOWS \\system32\\lxdkcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"="C:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 5300 Series\\frun.exe"="C:\\Program Files\\Lexmark 5300 Series\\frun.exe:*:Enabled:Lexmark Productivity Studio"
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"="C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe:*:Enabled:ABBYY FineReader"
"C:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"="C:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe:*:Enabled:Printer Device Monitor"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdkpswx.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdkpswx.exe:*:Enabled:Printer Status Window Interface"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdktime.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdktime.exe:*:Enabled:Lexmark Connect Time Executable"
"C:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"="C:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe:*:Enabled:Fax Solutions Software"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdkjswx.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdkjswx.exe:*:Enabled:Job Status Window Interface"
"C:\\WINDOWS\\TEMP\\winB.exe"="C:\\WINDOWS\\TEMP\\ winB.exe:*:Enabled:winB"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:

Files with Hidden Attributes:
Thu 29 Aug 2002 1,511,453 A..H. --- "C:\Program Files\Null\msmsgs.exe"
Sun 6 Aug 2000 28,738 ...H. --- "C:\I386\Office10\MSDE2000\SQLRESLD.DLL"
Tue 15 Nov 2005 78,104 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Mon 24 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Fri 12 Nov 2004 37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 11 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc261 2ebcefc90e7dee4c276ee95e\BIT2.tmp"
Mon 21 May 2007 1,667,488 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\BIT1.tmp"
Finished!
  #4  
Old 02-24-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,055
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: HijackThis newbie but need some help on trojan/malware issues
I still need the Combofix log please.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #5  
Old 02-24-2008
smarley's Avatar
Bronze Member
  
Join Date: Feb 2008
Posts: 6
PC Experience: Some Experience
smarley - See this Members User comments on their Profile page
Default Re: HijackThis newbie but need some help on trojan/malware issues
Sorry about that....Here it is.

ComboFix 08-02-24.2 - Marley 2008-02-23 17:17:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.143 [GMT -8:00]
Running from: C:\Documents and Settings\Marley\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\smarley\Application Data\Install.dat
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\fefii.ini
C:\WINDOWS\system32\fefii.ini2
C:\WINDOWS\system32\iifef.dll
C:\WINDOWS\system32\irmavdcn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ovxejttd.dll
C:\WINDOWS\system32\pfsyoxxs.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_IPRIP
-------\Iprip

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.
2008-02-23 15:47 . 2008-02-23 15:47 <DIR> d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Webroot
2008-02-23 12:14 . 2008-02-23 12:59 414 --ahs---- C:\WINDOWS\system32\uitebgil.ini
2008-02-23 08:47 . 2008-02-23 08:47 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Webroot
2008-02-23 08:47 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-23 08:47 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-23 08:47 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-23 08:47 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-23 08:46 . 2008-02-23 08:46 <DIR> d-------- C:\Program Files\Webroot
2008-02-23 08:46 . 2008-02-23 08:46 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\Webroot
2008-02-23 08:46 . 2008-02-23 08:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2008-02-23 08:46 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-22 17:52 . 2008-02-22 17:52 73 --a------ C:\WINDOWS\EurekaLog.ini
2008-02-22 16:06 . 2008-02-22 15:56 178,872 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2008-02-22 16:06 . 2008-02-22 15:56 38,968 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-02-22 15:48 . 2008-02-22 15:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\sentinel
2008-02-22 15:47 . 2007-09-28 13:24 83,896 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-02-22 15:47 . 2008-02-22 15:47 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-02-22 15:46 . 2008-02-22 15:54 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-02-22 15:45 . 2008-02-22 15:45 <DIR> d-------- C:\Program Files\Panda Security
2008-02-22 15:45 . 2007-03-15 18:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-02-22 15:45 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2008-02-21 20:25 . 2008-02-22 16:06 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-02-21 20:14 . 2008-02-22 15:45 <DIR> d-------- C:\Program Files\Exterminate It!
2008-02-21 19:59 . 2008-02-22 15:41 2,154 --ahs---- C:\WINDOWS\system32\ilrqlsfk.ini
2008-02-21 18:58 . 2008-02-21 19:53 1,854 --ahs---- C:\WINDOWS\system32\gkaiisau.ini
2008-02-21 03:59 . 2008-02-21 03:59 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\Grisoft
2008-02-21 03:59 . 2008-02-21 03:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-02-20 22:21 . 2008-02-20 22:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-20 22:16 . 2008-02-23 16:40 <DIR> d-------- C:\SDFix
2008-02-20 22:11 . 2008-02-20 22:11 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\Uniblue
2008-02-20 19:35 . 2008-02-20 20:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-20 19:35 . 2008-02-20 19:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-20 19:35 . 2008-02-20 19:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-20 19:35 . 2008-02-20 19:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-20 19:18 . 2008-02-20 19:28 <DIR> d-------- C:\Program Files\RegCure
2008-02-20 19:12 . 2008-02-22 15:16 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-20 17:28 . 2008-02-21 18:47 1,734 --ahs---- C:\WINDOWS\system32\vofgpnik.ini
2008-02-20 16:50 . 2007-11-20 17:43 <DIR> d-------- C:\Documents and Settings\Administrator.MARLEY-5QZH6UQH\Application Data\Apple Computer
2008-02-19 20:24 . 2008-02-23 10:30 <DIR> d-------- C:\Program Files\WinXProtector
2008-02-19 20:24 . 2008-02-19 20:45 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\WinXProtector
2008-02-19 06:14 . 2008-02-20 17:10 1,074 --ahs---- C:\WINDOWS\system32\srerjsyw.ini
2008-02-10 14:55 . 2008-02-10 14:55 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\Lexmark Productivity Studio
2008-02-10 14:54 . 2008-02-10 14:54 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\5300 Series
2008-02-10 14:53 . 2008-02-13 05:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Lx_cats
2008-02-10 14:53 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-10 14:53 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-10 14:53 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-10 14:53 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-10 14:53 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-10 14:53 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-02-10 14:52 . 2008-02-10 14:52 <DIR> d-------- C:\logs
2008-02-10 14:50 . 2006-07-31 17:53 40,960 --a------ C:\WINDOWS\system32\lxdkvs.dll
2008-02-10 14:48 . 2007-05-03 07:50 348,160 --a------ C:\WINDOWS\system32\lxdkcoin.dll
2008-02-10 14:47 . 2007-05-22 09:22 692,224 --a------ C:\WINDOWS\system32\lxdkdrs.dll
2008-02-10 14:47 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-02-10 14:47 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-02-10 14:47 . 2007-02-14 06:35 69,632 --a------ C:\WINDOWS\system32\lxdkcnv4.dll
2008-02-10 14:47 . 2007-05-22 02:10 65,536 --a------ C:\WINDOWS\system32\lxdkcaps.dll
2008-02-10 14:47 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-10 14:47 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-10 14:46 . 2008-02-10 14:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\5300 Series
2008-02-10 14:46 . 2006-06-02 09:12 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-02-10 14:46 . 2006-06-02 09:12 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-02-10 14:46 . 2006-06-02 09:12 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-02-10 14:46 . 2007-04-09 02:59 69,632 --a------ C:\WINDOWS\system32\lxdkoem.dll
2008-02-10 14:46 . 2006-06-02 09:12 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2008-02-10 14:46 . 2006-06-02 09:12 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2008-02-10 14:46 . 2007-05-31 18:06 45,056 --a------ C:\WINDOWS\system32\LXDKPMON.DLL
2008-02-10 14:46 . 2007-05-31 18:05 32,768 --a------ C:\WINDOWS\system32\LXDKFXPU.DLL
2008-02-10 14:44 . 2008-02-10 14:45 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-10 14:42 . 2007-01-07 20:49 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-10 14:35 . 2007-01-21 20:53 60 --a------ C:\WINDOWS\system32\lxdkrwrd.ini
2008-02-10 14:33 . 2008-02-10 14:58 <DIR> d-------- C:\Program Files\Lexmark 5300 Series
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-23 00:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-22 23:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 23:40 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-02-08 14:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-28 00:31 --------- d-----w C:\Program Files\Yahoo! Games
2008-01-24 14:15 --------- d-----w C:\Program Files\iTunes
2008-01-24 14:15 --------- d-----w C:\Program Files\iPod
2008-01-24 14:13 --------- d-----w C:\Program Files\QuickTime
2008-01-22 22:54 --------- d-----w C:\Documents and Settings\Marley\Application Data\Jane s Hotel
2008-01-22 18:14 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\HipSoft
2008-01-20 01:44 --------- d-----w C:\Program Files\Apple Software Update
2008-01-15 17:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-06 01:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2008-01-05 18:05 911,093 ----a-w C:\WINDOWS\Prison Tycoon 2 Uninstaller.exe
2008-01-05 18:02 --------- d-----w C:\Program Files\Common Files\Thraex Software
2008-01-05 17:40 --------- d-----w C:\Program Files\Prison Tycoon 2
2007-11-01 23:48 21,408 ----a-w C:\Documents and Settings\Marley\Application Data\GDIPFONTCACHEV1.DAT
2005-08-06 04:42 50,152 ----a-w C:\Documents and Settings\smarley\Application Data\GDIPFONTCACHEV1.DAT
2007-05-21 23:33 3,490,848 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-21 23:33 64,544 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))
.
----a-w 313,472 2006-03-30 22:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 143,360 2002-08-23 00:28:14 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 294,912 2003-01-03 22:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 47,888 1999-10-12 11:50:00 C:\Program Files\IBM\Client Access\bak\cwbckver.exe
----a-w 15,632 1999-10-12 11:50:00 C:\Program Files\IBM\Client Access\bak\cwbinhlp.exe
----a-w 6,928 1999-10-12 11:50:00 C:\Program Files\IBM\Client Access\bak\CwbSvStr.Exe
----a-w 86,016 2002-12-18 19:20:42 C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe
----a-w 135,168 2005-06-27 15:31:14 C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
----a-w 256,576 2006-10-30 15:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-01-15 11:22:56 C:\Program Files\iTunes\iTunesHelper.exe
----a-w 32,881 2004-02-23 04:44:44 C:\Program Files\Java\j2re1.4.2_04\bin\bak\jusched.exe
----a-w 1,196,032 2005-06-01 00:37:16 C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe
----a-w 5,181,440 2007-03-07 05:06:56 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-01-10 23:27:36 C:\Program Files\QuickTime\QTTask.exe
----a-w 684,032 2002-12-17 17:28:00 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-13 17:54 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CARPService"="carpserv.exe" [2002-10-17 08:54 4608 C:\WINDOWS\system32\carpserv.exe]
"ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe " [2005-07-05 00:32 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 07:31 135168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\i suspm.exe" [2004-04-17 21:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 15:07 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"lxdkmon.exe"="C:\Program Files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 19:17 455344]
"lxdkamon"="C:\Program Files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 00:06 20480]
"Lexmark 5300 Series Fax Server"="C:\Program Files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 19:18 307888]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwuut]
tuvwuut.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\lxdkcoms.exe"=
"C:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"C:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdkpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdktime.exe"=
"C:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdkjswx.exe"=
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2008-02-22 15:56]
R2 lxdk_device;lxdk_device;C:\WINDOWS\system32\lxdkco ms.exe [2007-06-14 00:15]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectServ ice;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lx dkserv.exe [2007-06-14 00:15]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2008-02-22 15:56]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-03 23:56]
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2002-11-08 10:13]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-22 20:14:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 01:26:39 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-23 16:42:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-23 21:00:04 C:\WINDOWS\Tasks\wrSpySweeper_L009F5D01753E4B3198D B8BDCD3D34BD8.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L009F5D01753E4B3198DB8B DCD3D34BD8
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 17:28:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkser v.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\ApvxdWin.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2008-02-23 17:36:58 - machine was rebooted [Marley]
ComboFix-quarantined-files.txt 2008-02-24 01:36:52
.
2008-02-14 05:08:07 --- E O F ---
  #6  
Old 02-24-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,055
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: HijackThis newbie but need some help on trojan/malware issues
We need to install your Recovery Console first.
Go to Microsoft's website => How to obtain Windows XP Setup boot disks
Select the download that's appropriate for your Operating System


Download the file & save it as its originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until we have reviewed the log.

Download the file & save it as it's originally named, next to the ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
<