Hijack log - system acting weird

Discussion in 'Windows - Virus and spyware problems' started by baddassb, Mar 15, 2008.

  1. baddassb

    baddassb Regular member

    Joined:
    Jan 22, 2005
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    26
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:04:16 PM, on 3/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5700.0006)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Conversions Plus\FormatM.exe
    C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Notes\ntmulti.exe
    C:\PROGRA~1\Marimba\CASTAN~1\lib\jre\bin\java.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\pdfDocs\Resources\pdfDocsMon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
    C:\PROGRA~1\MICROS~4\rapimgr.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: RDL Rolex - {87F99AD1-22A9-46AD-8BCD-DEF34C065CA6} - C:\WINDOWS\drnpfdxvsl.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: etlrlws - {4ECB354D-BB66-4B7A-AC4D-5A2DACE34E08} - C:\WINDOWS\etlrlws.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [MSI_UDAgent] "C:\WINDOWS\system32\udagent.exe" -c
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [MacLicense] "C:\PROGRA~1\CONVER~1\MacLic.exe"
    O4 - HKLM\..\Run: [Workshare3GW] "C:\Program Files\Workshare\Modules\WMConfigAssistant.exe" /userinit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [pdfDocs] C:\Program Files\pdfDocs\Resources\pdfDocsMon.exe
    O4 - HKLM\..\Run: [antiviirus] "C:\Program Files\antiviirus.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: MacName.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (file missing) (HKCU)
    O15 - Trusted Zone: *.mwe.com
    O15 - Trusted Zone: *.westlaw.com
    O15 - Trusted Zone: online.wjs.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://childm02.lan.mwe.com/iNotes6W.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1112704985828
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minis...d/MSSurVid.cab
    O16 - DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - http://www.topmoxie.com/external/bui...ro1050_310.cab
    O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microsystemsevents.webex.com...br/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\Software\..\Telephony: DomainName = na.lan.mwe.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O20 - AppInit_DLLs:
    O21 - SSODL: altvxvm - {810A2B38-F413-4A63-AB08-6F6A7A0E426B} - C:\WINDOWS\altvxvm.dll
    O21 - SSODL: WinMon - {d259155b-03f4-455b-a7e5-aa7df9f3f8f9} - C:\WINDOWS\Installer\{d259155b-03f4-455b-a7e5-aa7df9f3f8f9}\WinMon.dll (file missing)
    O21 - SSODL: bokpkov - {14759279-4231-4C95-AEBC-4CD691CCEEAF} - C:\WINDOWS\bokpkov.dll
    O21 - SSODL: zip - {65cf391a-1441-42d6-b0bf-b682f5919663} - C:\WINDOWS\Installer\{65cf391a-1441-42d6-b0bf-b682f5919663}\zip.dll (file missing)
    O21 - SSODL: RomVolume - {0e131af9-4af9-4a7c-be0c-bb5a253c9064} - C:\WINDOWS\Installer\{0e131af9-4af9-4a7c-be0c-bb5a253c9064}\RomVolume.dll (file missing)
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FormatM.exe
    O23 - Service: MarimbaClient - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 12634 bytes
     
    baddassb, Mar 15, 2008
    #1
  2. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

    O4 - HKLM\..\Run: [antiviirus] "C:\Program Files\antiviirus.exe"

    navigate to the C:\Program Files\ dir and delete the .exe

    next:
    Please download Malwarebytes' Anti-Malware to your desktop:

    http://www.besttechie.net/tools/mbam-setup.exe

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

    post the malwarebytes log and a new hjt log
     
    echoreply, Mar 16, 2008
    #2
  3. baddassb

    baddassb Regular member

    Joined:
    Jan 22, 2005
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    26
    WILL ADD HJT LOG TOMORROW. THANKS AGAIN!! :eek:)
    malwarebytes log:

    Malwarebytes' Anti-Malware 1.08
    Database version: 499

    Scan type: Full Scan (C:\|)
    Objects scanned: 123343
    Time elapsed: 6 hour(s), 26 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 17
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\bokpkov.dll (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> No action taken.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\etlrlws.brfg (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\etlrlws.toolbar.1 (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{4ecb354d-bb66-4b7a-ac4d-5a2dace34e08} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{87f99ad1-22a9-46ad-8bcd-def34c065ca6} (Trojan.FakeAlert) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87f99ad1-22a9-46ad-8bcd-def34c065ca6} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\Interface\{3a35d29a-df13-45ed-9f38-a00af13ac412} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\Typelib\{5207d7ca-312b-4864-ba2a-197099f9c708} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\Interface\{03bf5db1-978b-45ad-99c7-cb3b01ef72cb} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\Interface\{64ee2279-0486-4aaf-93dd-f364e6244d01} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\Typelib\{9738cd16-ff74-43a9-bccf-4373325d000c} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{14759279-4231-4c95-aebc-4cd691cceeaf} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{5bf5ba79-ee76-4f83-8a3b-cd34ba68aa85} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{810a2b38-f413-4a63-ab08-6f6a7a0e426b} (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{9da24776-fda7-49e1-bfb2-6ec4d3e160da} (Trojan.FakeAlert) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.brfg (Trojan.FakeAlert) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4ecb354d-bb66-4b7a-ac4d-5a2dace34e08} (Trojan.FakeAlert) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bokpkov (Trojan.FakeAlert) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\altvxvm (Trojan.FakeAlert) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\Installer\{d259155b-03f4-455b-a7e5-aa7df9f3f8f9} (Trojan.Alphabet) -> No action taken.
    C:\WINDOWS\Installer\{65cf391a-1441-42d6-b0bf-b682f5919663} (Trojan.Alphabet) -> No action taken.
    C:\WINDOWS\Installer\{0e131af9-4af9-4a7c-be0c-bb5a253c9064} (Trojan.Alphabet) -> No action taken.

    Files Infected:
    C:\WINDOWS\bokpkov.dll (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\DMcGee\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> No action taken.
    C:\Documents and Settings\DMcGee\Desktop\Privacy Protector.url (Rogue.Link) -> No action taken.
    C:\Documents and Settings\DMcGee\Desktop\Error Cleaner.url (Rogue.Link) -> No action taken.
    C:\Documents and Settings\DMcGee\Favorites\Error Cleaner.url (Rogue.Link) -> No action taken.
    C:\Documents and Settings\DMcGee\Favorites\Privacy Protector.url (Rogue.Link) -> No action taken.
    C:\Documents and Settings\DMcGee\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> No action taken.


     
    baddassb, Mar 19, 2008
    #3
  4. baddassb

    baddassb Regular member

    Joined:
    Jan 22, 2005
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    26
    HJT Log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:51:15 PM, on 3/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5700.0006)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Conversions Plus\FormatM.exe
    C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Notes\ntmulti.exe
    C:\PROGRA~1\Marimba\CASTAN~1\lib\jre\bin\java.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\pdfDocs\Resources\pdfDocsMon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\DNA\btdna.exe
    C:\PROGRA~1\MICROS~4\rapimgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: RDL Rolex - {87F99AD1-22A9-46AD-8BCD-DEF34C065CA6} - C:\WINDOWS\drnpfdxvsl.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: etlrlws - {4ECB354D-BB66-4B7A-AC4D-5A2DACE34E08} - C:\WINDOWS\etlrlws.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [MSI_UDAgent] "C:\WINDOWS\system32\udagent.exe" -c
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [MacLicense] "C:\PROGRA~1\CONVER~1\MacLic.exe"
    O4 - HKLM\..\Run: [Workshare3GW] "C:\Program Files\Workshare\Modules\WMConfigAssistant.exe" /userinit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [pdfDocs] C:\Program Files\pdfDocs\Resources\pdfDocsMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: MacName.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (file missing) (HKCU)
    O15 - Trusted Zone: *.mwe.com
    O15 - Trusted Zone: *.westlaw.com
    O15 - Trusted Zone: online.wjs.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://childm02.lan.mwe.com/iNotes6W.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112704985828
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
    O16 - DPF: {BAB7B1B6-1FA2-41A2-A0A2-2CF82ACC3CA8} - http://www.topmoxie.com/external/builds/upromise/upro1050_310.cab
    O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microsystemsevents.webex.com/client/T25L/nbr/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\Software\..\Telephony: DomainName = na.lan.mwe.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.lan.mwe.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = na.lan.mwe.com,lan.mwe.com,eu.lan.mwe.com
    O20 - AppInit_DLLs:
    O21 - SSODL: altvxvm - {810A2B38-F413-4A63-AB08-6F6A7A0E426B} - C:\WINDOWS\altvxvm.dll
    O21 - SSODL: WinMon - {d259155b-03f4-455b-a7e5-aa7df9f3f8f9} - C:\WINDOWS\Installer\{d259155b-03f4-455b-a7e5-aa7df9f3f8f9}\WinMon.dll (file missing)
    O21 - SSODL: bokpkov - {14759279-4231-4C95-AEBC-4CD691CCEEAF} - C:\WINDOWS\bokpkov.dll
    O21 - SSODL: zip - {65cf391a-1441-42d6-b0bf-b682f5919663} - C:\WINDOWS\Installer\{65cf391a-1441-42d6-b0bf-b682f5919663}\zip.dll (file missing)
    O21 - SSODL: RomVolume - {0e131af9-4af9-4a7c-be0c-bb5a253c9064} - C:\WINDOWS\Installer\{0e131af9-4af9-4a7c-be0c-bb5a253c9064}\RomVolume.dll (file missing)
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FormatM.exe
    O23 - Service: MarimbaClient - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 12464 bytes
     
    baddassb, Mar 19, 2008
    #4
  5. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    after you ran malwarebytes did you do this:

    * Be sure that everything is checked, and click Remove Selected.

    if not, check for updates then rescan and after the scan click on Remove Selected
     
    echoreply, Mar 19, 2008
    #5
  6. baddassb

    baddassb Regular member

    Joined:
    Jan 22, 2005
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    26
    I PERFORMED A QUICK SCAN BECAUSE THE FULL SCAN RAN FOR SIX HOURS, BUT IT DISPLAYED THE EXACT SAME ITEMS INFECTED.

    THANK YOU VERY, VERY MUCH.

    EVERYTHING IS ACTING NORMAL (NO CONSTANT SPYWARE POPUPS EVERY 30 SECS). TASKMGR WAS DISABLED AND I WAS UNABLE TO USE GPEDIT.MSC TO ENABLE IT, SO I DELETED THE KEY FROM REGISTRY AND IT'S BACK AGAIN.

    AGAIN, THANKS!!! :eek:)
     
    baddassb, Mar 19, 2008
    #6
  7. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    ok good and your welcome. rescan and post a new hjt log.

    echoreply
     
    echoreply, Mar 21, 2008
    #7

Share This Page