Jump to content
☆!Click here for PC Matic product support!☆ ×

Change Mode

celldorado

Hurdy

By Hurdy,
in Solved Malware Logs

 Share Followers 0

Recommended Posts

Hurdy

Hurdy

Posted
Posted

I D/Led a P2P program last week so I could watch live sport on my PC.

 

I uninstalled the program as it didn't work...

 

Since then I keep being re-directed to certain web sites such as celldorado, fp.pc-on-internet, spyware-secure.com and an on-line casino.

 

I have tried S&D, Adaware and AntiVir all to no avail.

 

I've also discovered a new file in mscionfig statup - 'rilpyfl.exe' which reappears each time I uncheck it and re-boot.

 

Any help would be greatly appreciated.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:41:24, on 24/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Lexmark 7300 Series\lxcimon.exe

C:\Program Files\Lexmark 7300 Series\ezprint.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\lxcicoms.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,[email protected]

O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185046810968

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185046802359

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe

 

--

End of file - 4083 bytes

Link to post
Share on other sites
Juliet

Juliet

Posted
Posted

Hi Hurdy

 

 

Please download VundoFix.exe to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

 

 

 

 

 

 

Download ComboFix© by sUBs Here

IMPORTANT !! Place it on your Desktop.

In case you have used Combofix before, please delete the version you have now and redownload it again, Combofix is updated everyday.

 

If your anti-virus or firewall complains, please allow this script to run as it is not malicious.

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

  • Double click combofix.exe and follow the prompts.

    Follow the prompts. Type "1" and press Enter to begin the scan.

  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Please be patient while the scan runs, at times it may appear to stall.

 

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

After rebooting ensure your Security applications have been re-enabled.

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

 

 

 

 

 

 

 

 

Rename HijackThis.exe to Hurdy.exe by doing the following;

 

* Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis

* Right-click on the HijackThis.exe

* Choose from the pull-down menu; "Rename"

* And now Rename HijackThis.exe to Hurdy.exe

* When you've renamed HijackThis, open HijackThis again.

* Take a fresh HijackThis log (click Do a system scan and save a log file)

* Post the fresh HijackThis log here.

 

 

 

In your next reply post:

C:\vundofix.txt

ComboFix.txt

New renamed HJT log

 

Still have popups?

Link to post
Share on other sites
Hurdy

Hurdy

Posted
  • Author
Posted

Vundo found nothing.

 

ComboFix 07-12-30.1 - Sean 2007-12-30 13:25:48.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.715 [GMT 0:00]

Running from: C:\Documents and Settings\Sean\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Desktop\webmediaplayer.lnk

C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer

C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Privacy Policy.lnk

C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Terms and conditions.lnk

C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\WebMediaPlayer.lnk

C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Website.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Privacy Policy.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Terms and conditions.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Website.lnk

c:\Documents and Settings\Sean\Local Settings\Application Data\rilpyfl.dat

c:\documents and settings\sean\local settings\application data\rilpyfl.exe

c:\Documents and Settings\Sean\Local Settings\Application Data\rilpyfl_nav.dat

c:\Documents and Settings\Sean\Local Settings\Application Data\rilpyfl_navps.dat

C:\Program Files\webmediaplayer

C:\Program Files\webmediaplayer\Privacy Policy.url

C:\Program Files\webmediaplayer\resources\languages_v2.xml

C:\Program Files\webmediaplayer\resources\webmedias

C:\Program Files\webmediaplayer\skins\classic.skn

C:\Program Files\webmediaplayer\sqlite3.dll

C:\Program Files\webmediaplayer\Terms and conditions.url

C:\Program Files\webmediaplayer\uninst.exe

C:\Program Files\webmediaplayer\Website.url

C:\WINDOWS\b.exe

G:\Autorun.inf

 

.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))

.

 

2007-12-30 12:56 . 2007-12-30 12:56 <DIR> d-------- C:\VundoFix Backups

2007-12-29 21:54 . 2007-12-29 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-12-26 18:30 . 2007-12-26 18:43 1,393 --a------ C:\WINDOWS\imsins.BAK

2007-12-26 18:29 . 2007-07-09 13:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2007-12-26 18:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2007-12-24 20:17 . 2007-12-24 20:17 <DIR> d-------- C:\Program Files\Alwil Software

2007-12-24 20:17 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe

2007-12-24 20:17 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx

2007-12-24 20:17 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2007-12-24 20:17 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-24 20:17 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-24 20:17 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-24 20:17 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-24 20:17 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-24 16:41 . 2007-12-24 16:41 <DIR> d-------- C:\Program Files\Trend Micro

2007-12-23 17:50 . 2007-12-27 16:23 <DIR> d-------- C:\CrystalMark020B39FB

2007-12-23 16:18 . 2007-12-23 16:18 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\LG Image Editor

2007-12-13 19:24 . 2007-12-13 19:24 <DIR> d-------- C:\Program Files\Lavalys

2007-12-08 21:16 . 2007-12-08 21:16 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Leadertech

2007-12-08 20:42 . 1998-01-21 21:18 327,388 --a------ C:\WINDOWS\Divpcam.exe

2007-12-02 15:20 . 2007-12-02 15:20 388 --a------ C:\WINDOWS\cdplayer.ini

2007-11-25 08:25 . 2007-12-23 16:18 <DIR> d--h----- C:\LG3G

2007-11-24 20:36 . 2007-11-24 20:36 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\LG Electronics

2007-11-24 19:12 . 2007-11-24 19:12 <DIR> d-------- C:\lgupload

2007-11-24 19:11 . 2007-11-24 19:11 <DIR> d-------- C:\Program Files\LG Electronics

2007-11-24 19:11 . 2007-07-11 10:45 21,632 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys

2007-11-24 19:11 . 2007-07-11 15:51 19,840 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys

2007-11-24 19:11 . 2007-07-11 10:40 12,416 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys

2007-11-24 19:10 . 2007-11-24 19:10 <DIR> d-------- C:\Program Files\LG PC Suite 2

2007-11-17 19:17 . 2007-12-02 19:34 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\AdobeUM

2007-11-17 19:17 . 2007-11-17 19:17 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\AdobeAUM

2007-11-07 18:49 . 2007-11-07 18:49 <DIR> d-------- C:\Program Files\Motherboard Monitor 5

2007-11-07 18:49 . 2004-04-10 09:42 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys

2007-11-04 18:36 . 2007-11-04 18:36 565,170 --a------ C:\WINDOWS\system32\large.bnk

2007-11-04 18:36 . 2007-11-04 18:36 278,528 --a------ C:\WINDOWS\system32\livesnth.dll

2007-11-04 18:36 . 2007-11-04 18:36 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll

2007-11-04 18:32 . 2007-11-04 18:32 <DIR> d-------- C:\Program Files\Common Files\xing shared

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-26 11:34 --------- d-----w C:\Program Files\AusLogics Disk Defrag

2008-12-26 11:34 --------- d-----w C:\Documents and Settings\Sean\Application Data\Auslogics

2008-12-25 17:24 --------- d-----w C:\Program Files\Maxtor

2008-12-25 17:23 --------- d-----w C:\Program Files\MSXML 6.0

2008-12-25 12:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7

2007-12-29 21:55 --------- d-----w C:\Documents and Settings\Sean\Application Data\AVG7

2007-12-29 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7

2007-12-29 11:14 --------- d-----w C:\Program Files\Dan Elwell's Broadband Speed Test

2007-12-28 11:41 --------- d-----w C:\Program Files\Lx_cats

2007-12-28 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Maxtor

2007-12-27 18:35 --------- d-----w C:\Program Files\Common Files\InstallShield

2007-12-24 19:11 --------- d-----w C:\Program Files\NVIDIA Corporation

2007-12-23 16:00 --------- d-----w C:\Program Files\PPLive

2007-12-16 14:13 --------- d-----w C:\Documents and Settings\Sean\Application Data\OpenOffice.org2

2007-12-02 15:58 --------- d-----w C:\Program Files\LimeWire

2007-12-02 15:01 --------- d-----w C:\Documents and Settings\Sean\Application Data\LimeWire

2007-11-29 16:50 38,567 ----a-w C:\WINDOWS\system32\pcpbios.exe

2007-11-24 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-04 18:32 --------- d-----w C:\Program Files\Common Files\Real

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-28 12:10 --------- d-----w C:\Program Files\OpenOffice.org 2.3

2007-10-27 17:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe

2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvumctl.exe

2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe

2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvuenet.exe

2007-09-17 00:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe

2007-09-17 00:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll

2007-09-17 00:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll

2007-09-17 00:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe

2007-09-17 00:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe

2007-09-17 00:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll

2007-09-17 00:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe

2007-09-17 00:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll

2007-09-17 00:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe

2007-09-17 00:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll

2007-09-17 00:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe

2007-09-17 00:07 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll

2007-09-17 00:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lxcimon.exe"="C:\Program Files\Lexmark 7300 Series\lxcimon.exe" [2007-02-02 02:14]

"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2007-02-02 02:15]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 14:53]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-04 18:32]

"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 17:27]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-29 21:54]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 21:54]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe

backup=C:\WINDOWS\pss\svchost.exeCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^AutoExtract 3.lnk]

path=C:\Documents and Settings\Sean\Start Menu\Programs\Startup\AutoExtract 3.lnk

backup=C:\WINDOWS\pss\AutoExtract 3.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]

path=C:\Documents and Settings\Sean\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk

backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]

2007-11-20 19:12 2250104 --a------ C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]

2003-01-27 16:16 376912 --a------ C:\Program Files\BroadJump\Client Foundation\CFD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2004-08-03 23:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-26 13:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

C:\Program Files\Messenger\msmsgs.exe /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Program Files\MSN Messenger\msnmsgr.exe /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]

2004-06-03 19:51 131072 --a------ C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlhlmezl]

c:\documents and settings\sean\local settings\application data\qlhlmezl.exe qlhlmezl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\QTTask.exe -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rilpyfl]

c:\documents and settings\sean\local settings\application data\rilpyfl.exe rilpyfl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]

2006-09-20 07:35 20480 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NVSvc"=2 (0x2)

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"usnjsvc"=3 (0x3)

"SharedAccess"=2 (0x2)

"mnmsrvc"=3 (0x3)

"ImapiService"=3 (0x3)

 

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2006-01-12 11:56]

R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-11-01 11:21]

R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24]

S2 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe [2007-02-02 02:13]

S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 07:05]

S3 RTL2831UBDA;REALTEK 2831U BDA Driver;C:\WINDOWS\system32\drivers\RTL2831UBDA.sys [2007-09-26 09:20]

S3 RTL2831UUSB;REALTEK 2831U USB Driver;C:\WINDOWS\system32\Drivers\RTL2831UUSB.sys [2007-09-26 09:20]

 

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

"2007-12-29 10:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-30 13:28:16

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCICATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-30 13:28:50

C:\qoobox\ComboFix-quarantined-files.txt 2007-12-30 13:28:26

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:49:34, on 30/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\Hijackthis\Hurdy.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,[email protected]

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198693518828

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198693510687

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

 

--

End of file - 5510 bytes

 

 

Not so much popups - a new page opens which takes to the above mentioned sites. Annoying.

Link to post
Share on other sites
Aaflac

Aaflac

Posted
Posted (edited)

Hurdy,

 

Juliet is not available at this time, and I will assist you instead.

 

 

Please download Navilog1

  • Right-click and Extract all to the Desktop
  • Double click on navilog1.exe to install
  • When the installation is complete, the tool starts automatically. (If it doesn't start automatically, please double click on the Navilog1 shortcut on the Desktop)
  • From the language menu, press E for English
  • In the next menu, type 1 to select Search and press Enter (Please wait for the Scan to finish (It may take a while)
  • Press any key as requested
The tool produces a document: fixnavi.txt, saved in C:\fixnavi.txt

Please provide the contents of this report in your reply.

 

~~~~

Also, it appears you have two AntiVirus programs running (Avast4 and AVG7). Is that is the case?

Edited by Aaflac
Link to post
Share on other sites
Hurdy

Hurdy

Posted
  • Author
Posted

Log as requsted.

 

Avast has been uninstalled.

 

Search Navipromo version 3.3.8 began on 31/12/2007 at 9:35:35.64

 

!!! Warning, this report may include legitimate files/programs !!!

!!! Post this report on the forum you are being helped !!!

!!! Don't continue with removal unless instructed by an authorized helper !!!

Fix running from C:\Program Files\navilog1

Updated on 11.12.2007 at 18h00 by IL-MAFIOSO

 

 

Microsoft Windows XP [Version 5.1.2600]

Version Internet Explorer : 7.0.5730.11

Filesystem type : NTFS

 

Done in normal mode

 

*** Searching for installed Software ***

 

 

 

 

*** Search folders in C:\WINDOWS ***

 

 

 

*** Search folders in C:\Program Files ***

 

 

 

*** Search folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***

 

 

 

 

*** Search folders in "C:\Documents and Settings\Sean\application data" ***

 

 

*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs ***

 

 

*** Search with Catchme-rootkit/stealth malware detector by gmer ***

for more info : http://www.gmer.net

 

No file found

 

 

 

*** Search with GenericNaviSearch ***

!!! Possibility of legitimate files in the result !!!

!!! Must always be checked before manually deleting !!!

 

* Scan in C:\WINDOWS\system32 *

 

* Scan in "C:\Documents and Settings\Sean\local settings\application data" *

 

 

 

*** Search files ***

 

 

 

 

*** Search specific Registry keys ***

 

 

*** Complementary Search ***

(Search specific files)

 

1)Search new Instant Access files :

 

 

2)Heuristic Search :

 

* In C:\WINDOWS\system32 :

 

 

* In "C:\Documents and Settings\Sean\local settings\application data" :

 

 

3)Certificates Search :

 

Egroup certificate not found !

 

4)Search known files :

 

 

 

*** Search completed on 31/12/2007 at 9:38:56.75 ***

 

Link to post
Share on other sites
Aaflac

Aaflac

Posted
Posted

Please open Notepad (Start > Run > in the Open field type: notepad)

Click: OK

 

Copy/ paste the blue text below to Notepad:

 

File::

C:\WINDOWS\imsins.BAK

c:\documents and settings\sean\local settings\application data\qlhlmezl.exe

c:\documents and settings\sean\local settings\application data\rilpyfl.exe

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlhlmezl]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rilpyfl]

 

 

Save as CFScript.txt <<< Important!!

Change the Save as type to: All Files

Save it to the Desktop

 

Posted Image

 

Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe

ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

 

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

 

When finished, a log is produced: ComboFix.txt

 

~~~~

Run HijackThis once again, and Scan, to obtain a new log.

 

~~~~

Please provide the contents of the new ComboFix log, and the new HijackThis log in your reply.

 

 

BTW, you do not to quote your replies.

Link to post
Share on other sites
  • 4 weeks later...
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing
×
×
  • Create New...