Active X issue? - Free Antivirus Forum

Active X issue?

BullGuard Antivirus Forum > Virus > Alerts & New Threats > Active X issue?

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

bostondub
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-25-2008 9:22 (GMT +1)

not sure if this is cuz i have a virus or something.

but i cant seem to watch anything (youtube) videos anymore.. i always get Active X controls not allowed whenever i try to D/L the adobe flash video, i followed the help directions but it still doesnt seem to work.. any ideas?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-26-2008 11:44 (GMT +1)

Hello

Let´s check for (possible) infections ->

Click here - >> Before posting a log

After You have run the scan tools -

Reboot normally

Post Hijackthis log along with SuperAntiSpyware log, , C: combofix TXT in this topic

Please copy and paste your log. DO NOT add it as an attachment

Kindly do not annotate or format the log with color or font changes.

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

bostondub
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-26-2008 3:31 (GMT +1)

ok i did all that stuff.. here it is.

hijack first .. then combo log.

C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\matambone\Local Settings\Application Data\Microsoft\Messenger\mikey_tambone367@hotmail.com\Sharing Folders\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070208
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070208
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlantictambone.local
O17 - HKLM\Software\..\Telephony: DomainName = atlantictambone.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlantictambone.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7245 bytes

ComboFix 08-09-25.06 - matambone 2008-09-26 10:25:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.590 [GMT -4:00]
Running from: C:\Documents and Settings\matambone\Local Settings\Application Data\Microsoft\Messenger\mikey_tambone367@hotmail.com\Sharing Folders\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-25 15:49 . 2008-09-25 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-25 15:48 . 2008-09-25 15:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-25 15:48 . 2008-09-25 15:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-25 15:48 . 2008-09-25 15:48 <DIR> d-------- C:\Documents and Settings\matambone\Application Data\SUPERAntiSpyware.com
2008-09-25 15:41 . 2008-09-25 15:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-25 15:41 . 2008-09-25 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 09:07 . 2008-09-19 09:07 <DIR> d-------- C:\Program Files\Sun
2008-09-18 13:57 . 2008-09-18 13:57 <DIR> d-------- C:\Program Files\NOS
2008-09-18 13:57 . 2008-09-18 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-18 09:36 . 2008-09-18 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-17 16:16 . 2008-09-18 09:16 19,968 --a------ C:\0xf9.exe
2008-09-17 10:20 . 2008-09-17 10:20 <DIR> d-------- C:\Documents and Settings\matambone\Application Data\Blackboard
2008-09-17 10:19 . 2008-09-17 10:19 <DIR> d-------- C:\Program Files\Agilix
2008-09-17 10:19 . 2008-09-17 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agilix
2008-09-17 10:19 . 2008-04-22 15:42 167,936 -ra------ C:\WINDOWS\system32\GBInf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 13:07 --------- d-----w C:\Program Files\Java
2008-09-18 18:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-26 13:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 17:50 29,760 ----a-w C:\WINDOWS\system32\OcXEMIpT.exe
.

------- Sigcheck -------

2004-08-04 06:00 17408 d8146cc608298075cd0719bfe8174a0a C:\WINDOWS\system32\svchost.exe

2004-08-04 06:00 506368 12d930ed1b1d9750b968f7bf2d2fc433 C:\WINDOWS\system32\winlogon.exe

2004-08-04 06:00 1034752 fc0fc8cf6a8a0e53217eec118080b086 C:\WINDOWS\explorer.exe

2004-08-04 06:00 110592 b8e84105f02ac1f0ec418467baa52f35 C:\WINDOWS\system32\services.exe

2004-08-04 06:00 14848 a2d0fec33d9127e62f5a552feebf106a C:\WINDOWS\system32\lsass.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:53 58880 25fab8550338de845ada9d26b6c7e490 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 68856]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-03-21 69632]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 143360]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-02-08 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\NCLAUNCH.EXe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-14 3456]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NapsterShell - C:\Program Files\Napster\napster.exe
HKU-Default-RunOnce-FlashPlayerUpdate - C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
SSODL-pCouxmpsyKaQ-{1CC41AAE-B66E-B004-6107-3EBC57F81029} - C:\WINDOWS\system32\rod.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070208
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 10:27:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-26 10:28:09
ComboFix-quarantined-files.txt 2008-09-26 14:28:06

Pre-Run: 70,802,333,696 bytes free
Post-Run: 70,826,844,160 bytes free

112

bostondub
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-26-2008 5:04 (GMT +1)

acutally all is good... i think.. back to normal.. just had to reset couple of things WOOT!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-27-2008 6:56 (GMT +1)

Sounds good smile

Can you check these files for me, as they look suspicious -

Show hidden files:

1. Click Start button, then go to Programs, Accessories and click on Windows Explorer.
2. Select the Tools menu and click Folder Options.
3. Select the View Tab.
4. Under the "Hidden files and folders" heading please check Show hidden files and folders.
5. Uncheck the Hide protected operating system files (Recommended) option.
6. Click Yes to confirm.
7. Click OK.

Please upload and have this file scanned:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rod.dll

Here

http://virusscan.jotti.org/

Post back the results

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Tuesday, December 02, 2008 2:09 PM (GMT +1)
There are a total of 64.503 posts in 15.908 threads.
In the last 3 days there were 18 new threads and 101 reply posts. View Active Threads