iexplore.exe malware - can't remove

jimw · 2007/10/24

I am trying to remove some malware from a friend's system. I've been running AVG-free and Ad-Aware and have cleaned up some of 27 detected viruses including following a detailed procdure to remove Brave Sentry. I can't seem to get rid of one that causes an iexplore.exe process to run continuously. This process cannot be killed from task manager.

Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:30:57 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Justina\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.*
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FF77FFA-BCBA-444F-B702-FE42E226AAE1} - C:\Program Files\Online Services\mevozuge83122.dll
O2 - BHO: (no name) - {48961266-0172-4D24-A917-7B4E58860BBD} - C:\WINDOWS\system32\pmnnm.dll
O2 - BHO: (no name) - {70e95d08-4c40-47b0-9be2-76b55a2fd232} - C:\WINDOWS\system32\wubbdsc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3} - C:\WINDOWS\system32\ljjgfcd.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BD9B3875-A0CD-A863-EA5B-FE8A42F82BC9} - C:\WINDOWS\system32\bfabbz.dll
O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkinrgjm.dll
O2 - BHO: (no name) - {EE9F3B70-A5C4-AF6C-BD5B-FE8A42F828C9} - C:\WINDOWS\system32\nrudoa.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe "
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe "
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe "
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe "
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Justina\LOCALS~1\Temp\frmwrk.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [{E4-40-0E-E1-ZN}] c:\windows\system32\kldsrngs.exe CHD001
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [Rtnc] "C:\DOCUME~1\Justina\APPLIC~1\PPATCH~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Bjaz] C:\WINDOWS\system32\s?mbols\l?gonui.exe
O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe
O4 - HKCU\..\Run: [Wtba] "C:\DOCUME~1\Justina\APPLIC~1\MCROSO~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe "
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe "
O4 - HKCU\..\Run: [Ndbqtvf] "C:\Program Files\??curity\?hkdsk.exe "
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kldsrngs.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.crsdata.net/maps/install/mgaxctrlv65.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167968109808
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181932076109
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://realfocus.kaarmls.com/includes/Cabs/AurigmaImageUploader/3.5/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5F1785C-9C6A-4D93-B80D-5BB923CEDDE9}: NameServer = 66.92.64.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E6E3488-724C-46E7-B142-AF567E32B2A5}: NameServer = 66.92.64.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: ljjgfcd - C:\WINDOWS\SYSTEM32\ljjgfcd.dll
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

--
End of file - 9327 bytes

Any help is appreciated.

Jim

noahdfear · 2007/10/24

Welcome to WindowsBBS Jim

HijackThis needs to be placed in a more appropriate location. Either create a new folder and move HijackThis.exe to it, or delete the copy you have and download the HijackThis Installer from here, then install it.

Please run all of the following in normal mode.

Download VundoFix by Atribune, saving it to your desktop.

Download ComboFix by sUBs from here, saving the file to your desktop.

Close all open windows and programs.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

When complete,

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log, the C:\VundoFix.txt log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

jimw · 2007/10/24

Thanks for your prompt response. The system is not operational in normal mode. It never gets to the start menu, only displays blue background with icons, and even that takes a very long time. Can I run these additional tools from safe mode?

Jim

noahdfear · 2007/10/24

Run ComboFix from safe mode, then see if it will boot to normal mode.

jimw · 2007/10/24

I properly installed HJT.

Then I ran combofix from safe mode. This seemed to complete properly, then it rebooted system into normal mode. It then said "preparing log report ". I then got a Windows error dialogue "noskrnl.exe has encountered a problem and needs to close... ". Combofix then seemed to complete properly and created the log file.

I then ran vundo. It completed and reported "no infected files found ".

Then ran HJT.

Here are the 3 logs:

ComboFix 07-10-23.2 - Justina 2007-10-24 22:42:54.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT -4:00]
Running from: C:\Documents and Settings\Justina\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings\bot.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\Justina\Application Data\MCROSO~1
C:\Documents and Settings\Justina\Application Data\MCROSO~1\M?crosoft\
C:\Documents and Settings\Justina\Application Data\MCROSO~1\regsvr32.exe
C:\Documents and Settings\Justina\Application Data\microsoft\internet explorer\Desktop.htt
C:\Documents and Settings\Justina\Application Data\PPATCH~1
C:\Documents and Settings\Justina\Application Data\PPATCH~1\??pPatch\
C:\Documents and Settings\Justina\Application Data\PPATCH~1\notepad.exe
C:\Documents and Settings\Justina\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Justina\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Justina\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Justina\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\curity~1
C:\Program Files\curity~1\?hkdsk.exe
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive7.dll
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ISMModule8.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\Online Services\mevozuge83122.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.5\wbuninst.exe
C:\Program Files\web buying\v1.8.5\webbuying.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\spoolzv.exe
C:\WINDOWS\system32\13591264041.dll
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\away.exe.exe
C:\WINDOWS\system32\b2
C:\WINDOWS\system32\b2\bc12wv.exe
C:\WINDOWS\system32\bfabbz.dll
C:\WINDOWS\system32\dllh8jkd1q1.exe
C:\WINDOWS\system32\dllh8jkd1q2.exe
C:\WINDOWS\system32\dllh8jkd1q5.exe
C:\WINDOWS\system32\dllh8jkd1q6.exe
C:\WINDOWS\system32\dllh8jkd1q7.exe
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\drivers\asc3550p.sys
C:\WINDOWS\system32\drivers\Dkl50.sys
C:\WINDOWS\system32\drivers\KQXB62.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\kernelw.sys
C:\WINDOWS\system32\kernelwind32.exe
C:\WINDOWS\system32\kldsrngs.exe
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\ljjgfcd.dll
C:\WINDOWS\system32\m1ax1d1213216143v.exe
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mstaskmgr.exe
C:\WINDOWS\system32\newmaxxsv234.exe
C:\WINDOWS\system32\noskrnl.sys
C:\WINDOWS\system32\nrudoa.dll
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\oTt06e\oTt06e1083.exe
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\oTt08e\oTt08e1099.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\qwinmlds.exe
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\smbols~1\l?gonui.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxga4m1et4.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vedxga5me3.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wcpisvcc.exe
C:\WINDOWS\system32\wubbdsc.dll
C:\WINDOWS\system32\x8
C:\WINDOWS\system32\x8\zysmd18.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\tsitra27.exe
C:\WINDOWS\tsitra77.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\windows\xpupdate.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ASC3550P
-------\LEGACY_CMDSERVICE
-------\LEGACY_DRIVER
-------\LEGACY_KQXB62
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RUNTIME2
-------\asc3550p

((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-24 22:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 22:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-24 20:23 <DIR> d-------- C:\~ErdUserProfile.$$$
2007-10-24 17:26 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-24 16:48 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-24 13:59 290,816 --a--c--- C:\WINDOWS\system32\dllcache\adsiis51.dll
2007-10-24 13:59 43,520 --a--c--- C:\WINDOWS\system32\dllcache\admwprox.dll
2007-10-24 13:59 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll
2007-10-24 13:59 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2007-10-24 13:59 16,439 --a--c--- C:\WINDOWS\system32\dllcache\admin.exe
2007-10-24 13:50 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2007-10-24 11:07 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-10-24 11:07 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-10-24 11:07 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-10-24 11:07 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-10-23 15:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-23 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 15:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-23 15:04 <DIR> d-------- C:\Documents and Settings\Justina\Application Data\AVG7
2007-10-23 10:04 31,094 --a------ C:\WINDOWS\system32\center2.exe
2007-10-23 10:01 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2007-10-23 10:01 226,166 --a------ C:\WINDOWS\system32\center.exe
2007-10-23 09:59 89,899 --a------ C:\WINDOWS\noskrnl.exe
2007-10-23 09:54 <DIR> d-------- C:\Program Files\Rabio
2007-10-23 09:53 17,408 --a------ C:\psapi.dll
2007-10-23 09:52 880,968 --a------ C:\WINDOWS\system32\RabioSetup.exe
2007-10-23 09:52 294,668 --a------ C:\WINDOWS\frexup3.exe
2007-10-23 09:52 13,824 --a------ C:\WINDOWS\plite731.exe
2007-10-23 09:52 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-23 09:51 <DIR> d--hs---- C:\WINDOWS\SnVzdGluYSA
2007-10-23 09:51 425,984 --a------ C:\WINDOWS\system32\bkinrgjm.dll
2007-10-23 09:51 118,784 --a------ C:\WINDOWS\system32\artchker.exe
2007-10-23 09:51 45,056 --a------ C:\WINDOWS\system32\katzppd.exe
2007-10-23 09:51 45,056 --a------ C:\WINDOWS\system32\katzpdsbt.exe
2007-10-23 09:51 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-23 09:51 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-23 09:50 <DIR> d-------- C:\WINDOWS\system32\tp2
2007-10-23 09:50 <DIR> d-------- C:\WINDOWS\system32\oz3
2007-10-23 09:50 <DIR> d-------- C:\WINDOWS\system32\fix1
2007-10-23 09:50 <DIR> d-------- C:\WINDOWS\system32\cac2
2007-10-23 09:50 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-29 07:11 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\SnVzdGluYSA\mBpWx35RsmE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}]
2007-10-23 09:51 425984 --a------ C:\WINDOWS\system32\bkinrgjm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AAWTray "= "C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"GrooveMonitor "= "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"winload "= "C:\Program Files\Internet Explorer\winload.exe" [2007-10-23 09:56]
"plite731 "= "C:\WINDOWS\plite731.exe" [2007-10-23 09:52]
"IndexTray "= "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" [2005-11-05 21:32]
"SharpTray "= "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2005-11-05 21:47]
"FtpServer.exe "= "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" [2005-11-05 21:04]
"Indexer "= "C:\Program Files\Sharp\Sharpdesk\Indexer.exe" [2005-11-05 21:34]
"TypeRegChecker "= "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [2005-11-05 21:35]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ndbqtvf "= "C:\Program Files\??curity\?hkdsk.exe" []
"ISMModule8 "= "C:\Program Files\ISM\ISMModule8.exe" []
"ArtChk "= "C:\WINDOWS\system32\artchker.exe" [2007-10-23 09:51]
"Rtnc "= "C:\DOCUME~1\Justina\APPLIC~1\PPATCH~1\notepad.exe" []
"ISMPack8 "= "C:\Program Files\ISM2\ISMPack8.exe" []
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]
"Bjaz "= "C:\WINDOWS\system32\s?mbols\l?gonui.exe" []
"Wtba "= "C:\DOCUME~1\Justina\APPLIC~1\MCROSO~1\regsvr32.exe" []
"noskrnl "= "C:\WINDOWS\noskrnl.exe" [2007-10-23 09:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwea32]
winwea32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\pmnnm.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a43ceec8-9c75-11db-9391-000475c7e893}]
AutoRun\command - F:\SETUP.EXE
configure\command - F:\SETUP.EXE
install\command - F:\SETUP.EXE

*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 23:04:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-24 23:08:48 - machine was rebooted
.
--- E O F ---

=====================================================

VundoFix V6.5.10

Checking Java version...

Scan started at 11:15:42 PM 10/24/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

=====================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:59 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Internet Explorer\winload.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.*;192.168.0.*
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkinrgjm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe "
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe "
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe "
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKCU\..\Run: [Ndbqtvf] "C:\Program Files\??curity\?hkdsk.exe "
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe "
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [Rtnc] "C:\DOCUME~1\Justina\APPLIC~1\PPATCH~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Bjaz] C:\WINDOWS\system32\s?mbols\l?gonui.exe
O4 - HKCU\..\Run: [Wtba] "C:\DOCUME~1\Justina\APPLIC~1\MCROSO~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.crsdata.net/maps/install/mgaxctrlv65.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167968109808
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181932076109
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://realfocus.kaarmls.com/includes/Cabs/AurigmaImageUploader/3.5/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5F1785C-9C6A-4D93-B80D-5BB923CEDDE9}: NameServer = 66.92.64.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E6E3488-724C-46E7-B142-AF567E32B2A5}: NameServer = 66.92.64.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

--
End of file - 8209 bytes

=====================================================

This seems to have fixed the iexplorer problem. I just began a full AVG scan.

I keep getting popups wanting me to complete installation of Adobe Acrobat 9.x, but this may be a disconnected problem.

Is there anything else you recommend? I really appreciate your help. I'll be a hero tomorrow.

Jim

noahdfear · 2007/10/25

There's still quite a lot to do, but I'm too wiped out to fully research and get it all written up tonight. It will be tomorrow evening before I can post complete instructions. For now, scan again with HijackThis and place a check next to the following entries, close all other windows and click Fix Checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.*;192.168.0.*
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\ntos.exe,
O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkinrgjm.dll
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKCU\..\Run: [Ndbqtvf] "C:\Program Files\??curity\?hkdsk.exe "
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [Rtnc] "C:\DOCUME~1\Justina\APPLIC~1\PPATCH~1\notepad.exe " -vt yazb
O4 - HKCU\..\Run: [Bjaz] C:\WINDOWS\system32\s?mbols\l?gonui.exe
O4 - HKCU\..\Run: [Wtba] "C:\DOCUME~1\Justina\APPLIC~1\MCROSO~1\regsvr32.ex e" -vt yazb
O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe

Reboot and post a fresh HijackThis log. Recommend you try to keep this computer offline till we can get it cleaned up better. Won't take long to further infect it via the infections still present.

Till tommorrow ..........

jimw · 2007/10/25

After my post last night, and before I saw your latest post, I ran AVG and Ad-Aware full scans. I had these programs remove all of the malware they found. Therefore some of the entries in your list were no longer there this morning.

Today I used HJT to remove all of the entries you specified, then rebooted, and ran HJT again. The first entry "proxyoverride" keeps coming back after reboot.

When I shutdown, the system wants to install updates. Since I have not downloaded any updates, I have been selecting the "shutdown without installing updates" option.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:14 AM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.*
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe "
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe "
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe "
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe "
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.crsdata.net/maps/install/mgaxctrlv65.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167968109808
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181932076109
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://realfocus.kaarmls.com/includes/Cabs/AurigmaImageUploader/3.5/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5F1785C-9C6A-4D93-B80D-5BB923CEDDE9}: NameServer = 66.92.64.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E6E3488-724C-46E7-B142-AF567E32B2A5}: NameServer = 66.92.64.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

--
End of file - 7606 bytes

The user needs to use the system today, but I'll see if they can avoid connecting to the Internet. They have other systems they can use for that.

Thanks.

noahdfear · 2007/10/25

Did the owner install Rabio?

Open Internet Options in the Control Panel, then select the Connections tab. Click the LAN Settings button. Clear any selected boxes under Proxy Settings and OK out. Open Network Connections and right click>Properties on the Local Area Connection. Select Internet Protocol (TCP/IP) in the list and click Properties. Check the boxes for automatically obtaining IP and DNS Server Addresses and OK your way out.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\system32\center2.exe
C:\WINDOWS\system32\center.exe
C:\WINDOWS\noskrnl.exe
C:\WINDOWS\frexup3.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\bkinrgjm.dll
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\katzpdsbt.exe
C:\WINDOWS\system32\IKatzuUninstall.exe
Folder::
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\SnVzdGluYSA
C:\WINDOWS\system32\tp2
C:\WINDOWS\system32\oz3
C:\WINDOWS\system32\fix1
C:\WINDOWS\system32\cac2
C:\WINDOWS\SnVzdGluYSA
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\[COLOR="black"]CurrentVersion[/COLOR]\Run]
 "ISMModule8 "=-
 "ISMPack8 "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\policies\explorer]
 "NoSetActiveDesktop "=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\policies\explorer]
 "NoSetActiveDesktop "=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\[COLOR="Black"]control[/COLOR]\lsa]
 "Authentication Packages "=hex(7):6d,73,76,31,5f,30,00,00
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

jimw · 2007/10/25

I don't have access to the system tonight, but should be able to do this tomorrow night. I am not familiar with Rabio, but will ask the user.

Jim

Log in or Sign up

iexplore.exe malware - can't remove

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

Share This Page

Log in or Sign up

iexplore.exe malware - can't remove

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

noahdfear Inactive

jimw Inactive Thread Starter

Share This Page

Useful Searches