Hurdy Posted December 24, 2007 Share Posted December 24, 2007 I D/Led a P2P program last week so I could watch live sport on my PC. I uninstalled the program as it didn't work... Since then I keep being re-directed to certain web sites such as celldorado, fp.pc-on-internet, spyware-secure.com and an on-line casino. I have tried S&D, Adaware and AntiVir all to no avail. I've also discovered a new file in mscionfig statup - 'rilpyfl.exe' which reappears each time I uncheck it and re-boot. Any help would be greatly appreciated. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:41:24, on 24/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Lexmark 7300 Series\lxcimon.exe C:\Program Files\Lexmark 7300 Series\ezprint.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\lxcicoms.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,[email protected] O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185046810968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185046802359 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe -- End of file - 4083 bytes Link to post Share on other sites
Juliet Posted December 24, 2007 Share Posted December 24, 2007 Hi Hurdy Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. Download ComboFix© by sUBs Here IMPORTANT !! Place it on your Desktop. In case you have used Combofix before, please delete the version you have now and redownload it again, Combofix is updated everyday. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem. Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working. This includes Antivirus, Firewall, and any Spyware scanners that run in the background. Click on this link Here to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Double click combofix.exe and follow the prompts.Follow the prompts. Type "1" and press Enter to begin the scan. When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Please be patient while the scan runs, at times it may appear to stall. Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end. When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to. After rebooting ensure your Security applications have been re-enabled. Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Rename HijackThis.exe to Hurdy.exe by doing the following; * Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis * Right-click on the HijackThis.exe * Choose from the pull-down menu; "Rename" * And now Rename HijackThis.exe to Hurdy.exe * When you've renamed HijackThis, open HijackThis again. * Take a fresh HijackThis log (click Do a system scan and save a log file) * Post the fresh HijackThis log here. In your next reply post: C:\vundofix.txt ComboFix.txt New renamed HJT log Still have popups? Link to post Share on other sites
Hurdy Posted December 27, 2007 Author Share Posted December 27, 2007 I will - after my post Christmas detox... Link to post Share on other sites
Hurdy Posted December 30, 2007 Author Share Posted December 30, 2007 Vundo found nothing. ComboFix 07-12-30.1 - Sean 2007-12-30 13:25:48.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.715 [GMT 0:00] Running from: C:\Documents and Settings\Sean\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Desktop\webmediaplayer.lnk C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Privacy Policy.lnk C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Terms and conditions.lnk C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\WebMediaPlayer.lnk C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Website.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Privacy Policy.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Terms and conditions.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Website.lnk c:\Documents and Settings\Sean\Local Settings\Application Data\rilpyfl.dat c:\documents and settings\sean\local settings\application data\rilpyfl.exe c:\Documents and Settings\Sean\Local Settings\Application Data\rilpyfl_nav.dat c:\Documents and Settings\Sean\Local Settings\Application Data\rilpyfl_navps.dat C:\Program Files\webmediaplayer C:\Program Files\webmediaplayer\Privacy Policy.url C:\Program Files\webmediaplayer\resources\languages_v2.xml C:\Program Files\webmediaplayer\resources\webmedias C:\Program Files\webmediaplayer\skins\classic.skn C:\Program Files\webmediaplayer\sqlite3.dll C:\Program Files\webmediaplayer\Terms and conditions.url C:\Program Files\webmediaplayer\uninst.exe C:\Program Files\webmediaplayer\Website.url C:\WINDOWS\b.exe G:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 ))))))))))))))))))))))))))))))) . 2007-12-30 12:56 . 2007-12-30 12:56 <DIR> d-------- C:\VundoFix Backups 2007-12-29 21:54 . 2007-12-29 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-26 18:30 . 2007-12-26 18:43 1,393 --a------ C:\WINDOWS\imsins.BAK 2007-12-26 18:29 . 2007-07-09 13:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-12-26 18:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2007-12-24 20:17 . 2007-12-24 20:17 <DIR> d-------- C:\Program Files\Alwil Software 2007-12-24 20:17 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-12-24 20:17 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2007-12-24 20:17 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-12-24 20:17 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-24 20:17 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-24 20:17 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-24 20:17 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-24 20:17 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-24 16:41 . 2007-12-24 16:41 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-23 17:50 . 2007-12-27 16:23 <DIR> d-------- C:\CrystalMark020B39FB 2007-12-23 16:18 . 2007-12-23 16:18 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\LG Image Editor 2007-12-13 19:24 . 2007-12-13 19:24 <DIR> d-------- C:\Program Files\Lavalys 2007-12-08 21:16 . 2007-12-08 21:16 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Leadertech 2007-12-08 20:42 . 1998-01-21 21:18 327,388 --a------ C:\WINDOWS\Divpcam.exe 2007-12-02 15:20 . 2007-12-02 15:20 388 --a------ C:\WINDOWS\cdplayer.ini 2007-11-25 08:25 . 2007-12-23 16:18 <DIR> d--h----- C:\LG3G 2007-11-24 20:36 . 2007-11-24 20:36 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\LG Electronics 2007-11-24 19:12 . 2007-11-24 19:12 <DIR> d-------- C:\lgupload 2007-11-24 19:11 . 2007-11-24 19:11 <DIR> d-------- C:\Program Files\LG Electronics 2007-11-24 19:11 . 2007-07-11 10:45 21,632 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys 2007-11-24 19:11 . 2007-07-11 15:51 19,840 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys 2007-11-24 19:11 . 2007-07-11 10:40 12,416 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys 2007-11-24 19:10 . 2007-11-24 19:10 <DIR> d-------- C:\Program Files\LG PC Suite 2 2007-11-17 19:17 . 2007-12-02 19:34 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\AdobeUM 2007-11-17 19:17 . 2007-11-17 19:17 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\AdobeAUM 2007-11-07 18:49 . 2007-11-07 18:49 <DIR> d-------- C:\Program Files\Motherboard Monitor 5 2007-11-07 18:49 . 2004-04-10 09:42 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys 2007-11-04 18:36 . 2007-11-04 18:36 565,170 --a------ C:\WINDOWS\system32\large.bnk 2007-11-04 18:36 . 2007-11-04 18:36 278,528 --a------ C:\WINDOWS\system32\livesnth.dll 2007-11-04 18:36 . 2007-11-04 18:36 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll 2007-11-04 18:32 . 2007-11-04 18:32 <DIR> d-------- C:\Program Files\Common Files\xing shared . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-26 11:34 --------- d-----w C:\Program Files\AusLogics Disk Defrag 2008-12-26 11:34 --------- d-----w C:\Documents and Settings\Sean\Application Data\Auslogics 2008-12-25 17:24 --------- d-----w C:\Program Files\Maxtor 2008-12-25 17:23 --------- d-----w C:\Program Files\MSXML 6.0 2008-12-25 12:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2007-12-29 21:55 --------- d-----w C:\Documents and Settings\Sean\Application Data\AVG7 2007-12-29 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7 2007-12-29 11:14 --------- d-----w C:\Program Files\Dan Elwell's Broadband Speed Test 2007-12-28 11:41 --------- d-----w C:\Program Files\Lx_cats 2007-12-28 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Maxtor 2007-12-27 18:35 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-12-24 19:11 --------- d-----w C:\Program Files\NVIDIA Corporation 2007-12-23 16:00 --------- d-----w C:\Program Files\PPLive 2007-12-16 14:13 --------- d-----w C:\Documents and Settings\Sean\Application Data\OpenOffice.org2 2007-12-02 15:58 --------- d-----w C:\Program Files\LimeWire 2007-12-02 15:01 --------- d-----w C:\Documents and Settings\Sean\Application Data\LimeWire 2007-11-29 16:50 38,567 ----a-w C:\WINDOWS\system32\pcpbios.exe 2007-11-24 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-04 18:32 --------- d-----w C:\Program Files\Common Files\Real 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-28 12:10 --------- d-----w C:\Program Files\OpenOffice.org 2.3 2007-10-27 17:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe 2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvumctl.exe 2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe 2007-09-17 01:10 356,352 ----a-w C:\WINDOWS\system32\nvuenet.exe 2007-09-17 00:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe 2007-09-17 00:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll 2007-09-17 00:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll 2007-09-17 00:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe 2007-09-17 00:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe 2007-09-17 00:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll 2007-09-17 00:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe 2007-09-17 00:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll 2007-09-17 00:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe 2007-09-17 00:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll 2007-09-17 00:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe 2007-09-17 00:07 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll 2007-09-17 00:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "lxcimon.exe"="C:\Program Files\Lexmark 7300 Series\lxcimon.exe" [2007-02-02 02:14] "EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2007-02-02 02:15] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24] "mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 14:53] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-04 18:32] "LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 17:27] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-29 21:54] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 21:54] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe backup=C:\WINDOWS\pss\svchost.exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^AutoExtract 3.lnk] path=C:\Documents and Settings\Sean\Start Menu\Programs\Startup\AutoExtract 3.lnk backup=C:\WINDOWS\pss\AutoExtract 3.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk] path=C:\Documents and Settings\Sean\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2007-11-20 19:12 2250104 --a------ C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD] 2003-01-27 16:16 376912 --a------ C:\Program Files\BroadJump\Client Foundation\CFD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2004-08-03 23:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-09-26 13:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray] 2004-06-03 19:51 131072 --a------ C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlhlmezl] c:\documents and settings\sean\local settings\application data\qlhlmezl.exe qlhlmezl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\QTTask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rilpyfl] c:\documents and settings\sean\local settings\application data\rilpyfl.exe rilpyfl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe] 2006-09-20 07:35 20480 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "NVSvc"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "usnjsvc"=3 (0x3) "SharedAccess"=2 (0x2) "mnmsrvc"=3 (0x3) "ImapiService"=3 (0x3) R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2006-01-12 11:56] R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-11-01 11:21] R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24] S2 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe [2007-02-02 02:13] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 07:05] S3 RTL2831UBDA;REALTEK 2831U BDA Driver;C:\WINDOWS\system32\drivers\RTL2831UBDA.sys [2007-09-26 09:20] S3 RTL2831UUSB;REALTEK 2831U USB Driver;C:\WINDOWS\system32\Drivers\RTL2831UUSB.sys [2007-09-26 09:20] *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2007-12-29 10:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-30 13:28:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCICATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,[email protected]??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-30 13:28:50 C:\qoobox\ComboFix-quarantined-files.txt 2007-12-30 13:28:26 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:49:34, on 30/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\Hijackthis\Hurdy.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,[email protected] O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198693518828 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198693510687 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- End of file - 5510 bytes Not so much popups - a new page opens which takes to the above mentioned sites. Annoying. Link to post Share on other sites
Aaflac Posted December 31, 2007 Share Posted December 31, 2007 (edited) Hurdy, Juliet is not available at this time, and I will assist you instead. Please download Navilog1 Right-click and Extract all to the Desktop Double click on navilog1.exe to install When the installation is complete, the tool starts automatically. (If it doesn't start automatically, please double click on the Navilog1 shortcut on the Desktop) From the language menu, press E for English In the next menu, type 1 to select Search and press Enter (Please wait for the Scan to finish (It may take a while) Press any key as requested The tool produces a document: fixnavi.txt, saved in C:\fixnavi.txtPlease provide the contents of this report in your reply. ~~~~ Also, it appears you have two AntiVirus programs running (Avast4 and AVG7). Is that is the case? Edited December 31, 2007 by Aaflac Link to post Share on other sites
Hurdy Posted December 31, 2007 Author Share Posted December 31, 2007 Log as requsted. Avast has been uninstalled. Search Navipromo version 3.3.8 began on 31/12/2007 at 9:35:35.64 !!! Warning, this report may include legitimate files/programs !!! !!! Post this report on the forum you are being helped !!! !!! Don't continue with removal unless instructed by an authorized helper !!! Fix running from C:\Program Files\navilog1 Updated on 11.12.2007 at 18h00 by IL-MAFIOSO Microsoft Windows XP [Version 5.1.2600] Version Internet Explorer : 7.0.5730.11 Filesystem type : NTFS Done in normal mode *** Searching for installed Software *** *** Search folders in C:\WINDOWS *** *** Search folders in C:\Program Files *** *** Search folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 *** *** Search folders in "C:\Documents and Settings\Sean\application data" *** *** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs *** *** Search with Catchme-rootkit/stealth malware detector by gmer *** for more info : http://www.gmer.net No file found *** Search with GenericNaviSearch *** !!! Possibility of legitimate files in the result !!! !!! Must always be checked before manually deleting !!! * Scan in C:\WINDOWS\system32 * * Scan in "C:\Documents and Settings\Sean\local settings\application data" * *** Search files *** *** Search specific Registry keys *** *** Complementary Search *** (Search specific files) 1)Search new Instant Access files : 2)Heuristic Search : * In C:\WINDOWS\system32 : * In "C:\Documents and Settings\Sean\local settings\application data" : 3)Certificates Search : Egroup certificate not found ! 4)Search known files : *** Search completed on 31/12/2007 at 9:38:56.75 *** Link to post Share on other sites
Aaflac Posted January 1, 2008 Share Posted January 1, 2008 Please open Notepad (Start > Run > in the Open field type: notepad) Click: OK Copy/ paste the blue text below to Notepad: File:: C:\WINDOWS\imsins.BAK c:\documents and settings\sean\local settings\application data\qlhlmezl.exe c:\documents and settings\sean\local settings\application data\rilpyfl.exe Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlhlmezl] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rilpyfl] Save as CFScript.txt <<< Important!! Change the Save as type to: All Files Save it to the Desktop Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe ComboFix runs a scan on your system, and may reboot when it finishes. This is normal. CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall. When finished, a log is produced: ComboFix.txt ~~~~ Run HijackThis once again, and Scan, to obtain a new log. ~~~~ Please provide the contents of the new ComboFix log, and the new HijackThis log in your reply. BTW, you do not to quote your replies. Link to post Share on other sites
Juliet Posted January 23, 2008 Share Posted January 23, 2008 Glad we could help. Since this issue appears resolved ... this Topic is closed. Link to post Share on other sites
Recommended Posts