Jump to content

Change Mode

Home Computer is a complete mess


dgmartin96
 Share

Recommended Posts

Hello,

 

I believe my computer is badly infected. My kids use it quite a bit and I think they may have downloaded something.

 

I ran malwarebytes and it found 400+ infections. It asked to reboot the computer and I did. The computer would not reboot. I got a BSOD. I did a repair install using a retail windows xp cd. After that the computer would boot to the login screen. I would click on owner and it would start to log on and then log off and go back to the login screen. I tried in safemode and it did the same thing.

 

Finally, I used a bart PE boot cd and had to correct the userinit.exe. the computer booted up after that.

 

I'm not sure what to do next. Here is a HJT log.

 

Please help.

 

Thanks,

Doug

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:54:15 AM, on 9/19/2003

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\System32\WgaTray.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phoenix.cox.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\Owner.FIRECHEEKS\Application Data\Smilebox\SmileboxTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.FIRECHEEKS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm082YYUS

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.buy-internetsecurity10.com

O15 - Trusted Zone: http://*.buy-is2010.com

O15 - Trusted Zone: http://*.is-software-download.com

O15 - Trusted Zone: http://*.is-software-download25.com

O15 - Trusted Zone: http://*.is10-soft-download.com

O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)

O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180123984093

O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: NameServer = 93.188.164.116,93.188.161.100

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.116,93.188.161.100

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.116,93.188.161.100

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.116,93.188.161.100

O18 - Filter hijack: text/html - {e7943e01-36a0-4752-8e7f-feee88b4be73} - C:\WINDOWS\mark_32.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Update Service (gupdate1c990acf975a542) (gupdate1c990acf975a542) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

 

--

End of file - 11293 bytes

Link to comment
Share on other sites

Hi and welcome

 

 

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

 

 

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktop

http://www.mvps.org/winhelp2002/DelDomains.inf

Then go to the desktop right click on DelDomains.inf and choose Install You may not see any noticeable changes or prompts; this is normal.

Then please restart your computer

Note: You will have to reimmunize ....SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using these features before.

 

 

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O15 - Trusted Zone: http://*.buy-internetsecurity10.com

O15 - Trusted Zone: http://*.buy-is2010.com

O15 - Trusted Zone: http://*.is-software-download.com

O15 - Trusted Zone: http://*.is-software-download25.com

O15 - Trusted Zone: http://*.is10-soft-download.com

O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)

O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)

 

IF by chance you live in the Ukrane then leave the below O17 items out....Otherwise let HJT fix the below

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: NameServer = 93.188.164.116,93.188.161.100

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.116,93.188.161.100

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.116,93.188.161.100

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.116,93.188.161.100

 

O18 - Filter hijack: text/html - {e7943e01-36a0-4752-8e7f-feee88b4be73} - C:\WINDOWS\mark_32.dll

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

 

 

 

Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

 

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key.
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Double-click on SmitfraudFix.exe to start the tool.

Select option #2 - Clean by typing 2 and press Enter. You will be prompted :"Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter

 

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.

 

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C:(C:rapport.txt) or partition where your operating system is installed.

Please post that log along with all others requested in your next reply.

 

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

 

 

NEXT**

 

Double-click on SmitfraudFix.exe to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter

Answer Yes to the question "Restore Trusted Zone ?" by typing Yes and press Enter Notes

 

1. If you use SpywareBlaster and/or IE-SPYAD it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.

 

Open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd

 

Select option #5 - "Search and Clean DNS Hijack" by typing 5 and pressing "Enter" to delete the rogue settings.

 

Follow the prompts and reboot if asked to do so.

 

 

~~~~~~~~~~~~~~~~~~~~`

NEXT**

 

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
C:\WINDOWS\mark_32.dll

:Commands
[purity]
[emptytemp]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

 

 

In your next reply post:

C:rapport.txt

OTM log

new HJT log

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to comment
Share on other sites

Hello. Here is the rapport.txt you requested. I am posting two because one was generated after options 2 and 5.

 

1.

 

SmitFraudFix v2.424

 

Scan done at 1:07:25.93, Fri 09/19/2003

Run from C:\Documents and Settings\Owner.FIRECHEEKS\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\system32\msdrives\ Deleted

C:\Program Files\Google\googletoolbar1.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

 

Agent.OMZ.Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

 

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» RK

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS1\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS1\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS1\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS2\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: NameServer=93.188.164.116,93.188.161.100

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» RK.2

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

2.

 

SmitFraudFix v2.424

 

Scan done at 1:22:20.48, Fri 09/19/2003

Run from C:\Documents and Settings\Owner.FIRECHEEKS\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

 

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport

DNS Server Search Order: 192.168.1.1

DNS Server Search Order: 68.105.28.11

DNS Server Search Order: 68.105.29.11

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS1\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS1\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS1\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS2\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: NameServer=93.188.164.116,93.188.161.100

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

 

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport

DNS Server Search Order: 192.168.1.1

DNS Server Search Order: 68.105.28.11

DNS Server Search Order: 68.105.29.11

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS1\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS1\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS1\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\..\{3101822B-BD0F-4D3E-8F6D-FEC3B0E1F539}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS2\Services\Tcpip\..\{5AFABB26-BF5B-4490-BBED-4043908E2162}: DhcpNameServer=192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12

HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBE16025-2F99-4517-8B60-C1CE8596DE14}: NameServer=93.188.164.116,93.188.161.100

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 68.105.28.11 68.105.29.11

Link to comment
Share on other sites

Here is OTM

 

All processes killed

========== FILES ==========

File/Folder C:\WINDOWS\mark_32.dll not found.

========== COMMANDS ==========

C:\WINDOWS\Аdobe folder moved successfully.

C:\WINDOWS\System32\Ѕymantec folder moved successfully.

C:\WINDOWS\System32\sуstem32\sуstem32 folder moved successfully.

C:\WINDOWS\System32\sуstem32 folder moved successfully.

C:\Program Files\ѕуstem\ѕуstem folder moved successfully.

C:\Program Files\ѕуstem folder moved successfully.

C:\Program Files\Common Files\Sуmantec\Sуmantec folder moved successfully.

C:\Program Files\Common Files\Sуmantec folder moved successfully.

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 23138068 bytes

->Java cache emptied: 947613 bytes

 

User: Administrator.FIRECHEEKS

->Temp folder emptied: 622592 bytes

->Temporary Internet Files folder emptied: 1799645 bytes

 

User: All Users

 

User: All Users.WINDOWS

 

User: Connie Frank

->Temp folder emptied: 144437887 bytes

->Temporary Internet Files folder emptied: 224194703 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32768 bytes

 

User: Default User.WINDOWS

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: Douglas Frank

 

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 141018 bytes

 

User: Kelsey Frank

->Temp folder emptied: 254875642 bytes

->Temporary Internet Files folder emptied: 27516083 bytes

->Java cache emptied: 953332 bytes

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 172130 bytes

 

User: LocalService.NT AUTHORITY

->Temp folder emptied: 65984 bytes

->Temporary Internet Files folder emptied: 63501 bytes

 

User: Melissa Frank

->Temp folder emptied: 59533815 bytes

->Temporary Internet Files folder emptied: 1298394 bytes

->Java cache emptied: 337258 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: NetworkService.NT AUTHORITY

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1891504 bytes

 

User: Owner

 

User: Owner.FIRECHEEKS

->Temp folder emptied: 4146488841 bytes

->Temporary Internet Files folder emptied: 524165194 bytes

->Java cache emptied: 94057653 bytes

->Google Chrome cache emptied: 156267550 bytes

 

User: OWNER~1~FIR

 

%systemdrive% .tmp files removed: 388343 bytes

%systemroot% .tmp files removed: 17503037 bytes

%systemroot%\System32 .tmp files removed: 2691651 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 50044649 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23950824 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes

RecycleBin emptied: 38917 bytes

 

Total Files Cleaned = 5,491.00 mb

 

 

OTM by OldTimer - Version 3.1.8.0 log created on 09192003_012613

 

Files moved on Reboot...

File C:\Documents and Settings\Owner.FIRECHEEKS\Local Settings\Temp\Temporary Internet Files\Content.IE5\KZANAX6X\v=5;m=2;l=5613;cxt=90000232_1271742-90000232_1271742-90000232_0;kw=;ts=914216;smuid=yM1iSPTKDV0xJA;p=ui%3DyM1iSPTKDV0xJA%3Btr%3DU_luMKbflJB%3Btm%3D0-0[1] not found!

File C:\Documents and Settings\Owner.FIRECHEEKS\Local Settings\Temp\Temporary Internet Files\Content.IE5\J21XD09L\200x-1209600,http%3A%2F%2Fd.yimg.com%2Fa%2Fp%2Fumedia%2F20090406%2Fcp.2fc85316a129037f15a6ccdf73e1750b.gif%3Fx%3D201%26y%3D64%26q%3D85%26sig%3Dozm0[1].jpg not found!

File C:\Documents and Settings\Owner.FIRECHEEKS\Local Settings\Temp\Temporary Internet Files\Content.IE5\J21XD09L\v=5;m=2;l=5614;cxt=90000232_1271741-90000232_1271741-90000232_0;kw=;ts=908648;smuid=yM1iSPTKDV0xJA;p=ui%3DyM1iSPTKDV0xJA%3Btr%3Dkjo29yc8eQE%3Btm%3D0-0[1] not found!

 

Registry entries deleted on Reboot...

Link to comment
Share on other sites

and finally, here is a new Hijackthis log.

 

oh and thanks a lot.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:04:12 AM, on 9/19/2003

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\notepad.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\Owner.FIRECHEEKS\Application Data\Smilebox\SmileboxTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.FIRECHEEKS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm082YYUS

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180123984093

O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O18 - Filter hijack: text/html - {e7943e01-36a0-4752-8e7f-feee88b4be73} - C:\WINDOWS\mark_32.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Update Service (gupdate1c990acf975a542) (gupdate1c990acf975a542) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

 

--

End of file - 9999 bytes

Link to comment
Share on other sites

Smitfraud did it's job.

 

 

 

NEXT**

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, so please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

 

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...n=1260122209224

Other available links

Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition

    files.

  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)

    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

MalwareBytes AntiMalware log

Kaspersky log

New HJT log taken after the above scans have run

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to comment
Share on other sites

Hello,

 

Here is the log from malwarebytes. I'll post the other logs shortly.

 

Malwarebytes' Anti-Malware 1.44

Database version: 3739

Windows 5.1.2600 Service Pack 1

Internet Explorer 6.0.2800.1106

 

9/19/2003 3:41:53 AM

mbam-log-2003-09-19 (03-41-53).txt

 

Scan type: Quick Scan

Objects scanned: 207105

Time elapsed: 39 minute(s), 24 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 13

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\SYSTEM32\CONFIG\48644888.Evt (Rootkit.Agent.H) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\6795.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\18467.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\24943.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\29076.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\30077.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\30865.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\PDCOMP.sys (Trojan.Proxy.Saturn) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\PDFRAME.sys (Trojan.Proxy.Saturn) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\PDRELI.sys (Trojan.Proxy.Saturn) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\PDRFRAME.sys (Trojan.Proxy.Saturn) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\WDICA.sys (Trojan.Proxy.Saturn) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\MCSTRM.sys (Trojan.Proxy.Saturn) -> Quarantined and deleted successfully.

Link to comment
Share on other sites

Good deal

 

How's the computer now?

 

 

It is running better. All of the pop ups are gone and it's not freezing up anymore. The computer is still a little sluggish, but overall much better.

 

As for Kaspersky, I can't run it. It fails half way through updating the database. I've tried restarting the computer, but that didn't help. Is there anything else I should try to do to get it to run?

Link to comment
Share on other sites

It is running better. All of the pop ups are gone and it's not freezing up anymore. The computer is still a little sluggish, but overall much better.

Good deal, we'll try to work on sluggish in a while.

 

 

 

Perform an online scan with Panda ActiveScan

  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on RegisterPosted Image
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To

    Posted Image

  • Export the log and save it to your desktop.
  • Please post the contents of that log to your reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.

 

Avast users note:

 

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

 

Note that Panda may take a couple of hours to scan your system.

Link to comment
Share on other sites

Here is the panda scan. It looks like it found quite a bit.

 

;***********************************************************************************************************************************************************************************

ANALYSIS: 2010-02-14 20:50:26

PROTECTIONS: 1

MALWARE: 67

SUSPECTS: 43

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

Trend Micro Internet Security 16.10.2012 Yes Yes

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00020302 adware/ncase Adware No 0 Yes No c:\temp\fleok

00034463 adware/wupd Adware No 0 Yes No c:\program files\windows syncroad

00041904 adware/sidesearch Adware No 0 Yes No c:\program files\lycos

00115737 Application/FunWeb HackTools No 0 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0624425.dll

00115738 Application/FunWeb HackTools No 0 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0624424.dll

00116104 Application/FunWeb HackTools No 0 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0624423.dll

00123310 HackTool/SRunner.B HackTools No 0 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1097\a0612408.exe

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\owner.firecheeks\cookies\[email protected][1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\administrator.firecheeks\cookies\[email protected][1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\owner.firecheeks\cookies\[email protected][2].txt

00145454 Cookie/Centralmedia TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00145739 Cookie/Abetterinternet TrackingCookie No 0 Yes No c:\documents and settings\connie frank\cookies\connie [email protected][2].txt

00145739 Cookie/Abetterinternet TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No c:\documents and settings\connie frank\cookies\connie [email protected][2].txt

00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00152401 Cookie/Belnk TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\local settings\temp\cookies\douglas [email protected][1].txt

00157143 Cookie/MyWay TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00161883 Cookie/Twain-Tech TrackingCookie No 0 Yes No c:\documents and settings\connie frank\cookies\connie [email protected][2].txt

00161883 Cookie/Twain-Tech TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00162730 Cookie/Belnk TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\local settings\temp\cookies\douglas [email protected][1].txt

00167690 Cookie/Rightmedia TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No c:\documents and settings\connie frank\cookies\connie [email protected][1].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\[email protected][1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][3].txt

00169288 Cookie/Gorillanation TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00175637 Cookie/TopRebates.com TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\[email protected][2].txt

00176497 Cookie/Twain-Tech TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00176498 Cookie/Twain-Tech TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00186469 Cookie/Reliablestats TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00186561 Cookie/Banner TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\local settings\temp\cookies\douglas [email protected][1].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00200862 Cookie/Btgrab TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00200862 Cookie/Btgrab TrackingCookie No 0 Yes No c:\documents and settings\connie frank\cookies\connie [email protected][2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00208670 Spyware/New.net Spyware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625622.exe

00216065 Cookie/Screensavers TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00247966 Spyware/New.net Spyware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625623.exe

00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\connie frank\cookies\connie [email protected][1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\[email protected][1].txt

00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No c:\documents and settings\melissa frank\cookies\melissa [email protected][2].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00296582 Cookie/DriveCleaner TrackingCookie No 0 Yes No c:\documents and settings\kelsey frank\cookies\kelsey [email protected][1].txt

00296583 Cookie/DriveCleaner TrackingCookie No 0 Yes No c:\documents and settings\kelsey frank\cookies\kelsey [email protected][2].txt

00296584 Cookie/DriveCleaner TrackingCookie No 0 Yes No c:\documents and settings\kelsey frank\cookies\kelsey [email protected][2].txt

00320978 Cookie/Winantivirus TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00320978 Cookie/Winantivirus TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][2].txt

00351416 Cookie/Systemdoctor TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00379773 Adware/VideoCach Adware No 0 Yes No c:\documents and settings\douglas frank\local settings\temp\install2.bat

00379773 Adware/VideoCach Adware No 0 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0624467.bat

00484705 Application/IEDefender HackTools No 0 Yes No c:\documents and settings\owner.firecheeks\desktop\smitfraudfix\smitfraudfix\iedfix.c.exe

00484705 Application/IEDefender HackTools No 0 Yes No c:\documents and settings\owner.firecheeks\desktop\smitfraudfix.zip[smitfraudfix/iedfix.c.exe]

00484705 Application/IEDefender HackTools No 0 Yes No c:\windows\system32\iedfix.c.exe

00505449 Cookie/Winantivirus TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1034\a0574030.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1032\a0573960.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1037\a0575255.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1037\a0575356.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1038\a0575371.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1038\a0575407.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1039\a0575434.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1039\a0575474.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1040\a0575557.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1042\a0575688.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1042\a0575723.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1043\a0575740.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1033\a0574013.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1032\a0573918.exe

00519271 Adware/CWS.Searchmeup Adware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1034\a0574148.exe

00921467 Generic Malware Virus/Trojan No 0 Yes No c:\documents and settings\owner.firecheeks\desktop\smitfraudfix\smitfraudfix\404fix.exe

00921467 Generic Malware Virus/Trojan No 0 Yes No c:\windows\system32\404fix.exe

00921467 Generic Malware Virus/Trojan No 0 Yes No c:\documents and settings\owner.firecheeks\desktop\smitfraudfix.zip[smitfraudfix/404fix.exe]

02887262 Spyware/New.net Spyware No 1 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625816.dll

02901878 Adware/OneStep Adware No 0 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625817.exe

02908816 Cookie/Starware TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\local settings\temp\cookies\douglas [email protected][2].txt

02908816 Cookie/Starware TrackingCookie No 0 Yes No c:\documents and settings\douglas frank\cookies\douglas [email protected][1].txt

04907258 Adware/CWS Adware No 0 Yes No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1043\a0575737.exe

05916634 Generic Trojan Virus/Trojan No 0 Yes No c:\documents and settings\owner.firecheeks\igloader files\bestfriends\bestfriends.dll

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

No c:\windows\system32\drivers\sshdrv65.sys

No c:\documents and settings\owner.firecheeks\igloader files\zenpuzzlegarden\zenpuzzlegarden.dll

No c:\program files\dell\media experience\pcmservice.exe

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1092\a0592137.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625636.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625637.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625640.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625641.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625645.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625646.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625649.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625652.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625665.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625673.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625677.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625679.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625693.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625701.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625721.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625725.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625726.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625728.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625730.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625732.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625733.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625735.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625755.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625756.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625771.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625772.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625773.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625778.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625779.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625782.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625784.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625788.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625793.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625796.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625797.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625798.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625804.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625807.dll

No c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp1098\a0625818.exe

;===================================================================================================================================================================================

VULNERABILITIES

Id Severity Description

;===================================================================================================================================================================================

133387 MEDIUM MS06-065

133386 MEDIUM MS06-064

133385 MEDIUM MS06-063

133379 HIGH MS06-057

131654 HIGH MS06-055

129977 MEDIUM MS06-053

129976 MEDIUM MS06-052

126093 HIGH MS06-051

126092 MEDIUM MS06-050

126087 HIGH MS06-046

126086 MEDIUM MS06-045

126083 HIGH MS06-042

126082 HIGH MS06-041

126081 HIGH MS06-040

123421 HIGH MS06-036

123420 HIGH MS06-035

120825 MEDIUM MS06-032

120823 MEDIUM MS06-030

120818 HIGH MS06-025

120815 HIGH MS06-022

120814 HIGH MS06-021

117384 MEDIUM MS06-018

114666 HIGH MS06-015

114664 HIGH MS06-013

111790 MEDIUM MS06-011

108744 MEDIUM MS06-008

108743 MEDIUM MS06-007

108742 MEDIUM MS06-006

104567 HIGH MS06-002

104237 HIGH MS06-001

101055 HIGH MS05-054

96574 HIGH MS05-053

93396 HIGH MS05-052

93395 HIGH MS05-051

93454 MEDIUM MS05-049

;===================================================================================================================================================================================

Link to comment
Share on other sites

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
C:\Program Files\Windows SyncroAd
c:\temp\fleok
c:\program files\lycos
c:\documents and settings\douglas frank\local settings\temp\install2.bat
c:\documents and settings\owner.firecheeks\igloader files\bestfriends
:Commands
[purity]
[emptytemp]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

 

In your next reply post:

OTM log

new HJT log

 

 

How's your computer now?

Link to comment
Share on other sites

hello.

 

Here is the otm and HJT logs.

 

My computer is running a lot better. The browser still seems to be a little slow and when I turn on the computer it is giving me a warning that the system battery is low and the time resets to September 2003. I'm thinking the cmos battery on the motherboard may need to be changed. I'll try that once we are all done.

 

OTM

 

All processes killed

========== FILES ==========

C:\Program Files\Windows SyncroAd folder moved successfully.

c:\temp\FLEOK folder moved successfully.

c:\program files\Lycos folder moved successfully.

File/Folder c:\documents and settings\douglas frank\local settings\temp\install2.bat not found.

c:\documents and settings\owner.firecheeks\igloader files\bestfriends folder moved successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

 

User: Administrator.FIRECHEEKS

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: All Users

 

User: All Users.WINDOWS

 

User: Connie Frank

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Default User.WINDOWS

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Douglas Frank

 

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Kelsey Frank

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: LocalService.NT AUTHORITY

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 184825 bytes

 

User: Melissa Frank

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: NetworkService.NT AUTHORITY

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Owner

 

User: Owner.FIRECHEEKS

->Temp folder emptied: 95977363 bytes

->Temporary Internet Files folder emptied: 5174944 bytes

->Java cache emptied: 261706 bytes

->Google Chrome cache emptied: 0 bytes

 

User: OWNER~1~FIR

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 16246 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 97.00 mb

 

 

OTM by OldTimer - Version 3.1.8.0 log created on 09192003_000805

 

Files moved on Reboot...

 

Registry entries deleted on Reboot...

 

 

HJT

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:41:38 AM, on 2/15/2010

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O18 - Filter hijack: text/html - {e7943e01-36a0-4752-8e7f-feee88b4be73} - C:\WINDOWS\mark_32.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Update Service (gupdate1c990acf975a542) (gupdate1c990acf975a542) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

 

--

End of file - 7652 bytes

Link to comment
Share on other sites

Logs look pretty good, let's run a quick MBAM scan to confirm.

 

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Link to comment
Share on other sites

Ran malwarebytes and it found one item. Here is the log.

 

Malwarebytes' Anti-Malware 1.44

Database version: 3741

Windows 5.1.2600 Service Pack 1

Internet Explorer 6.0.2800.1106

 

2/15/2010 12:35:01 PM

mbam-log-2010-02-15 (12-35-01).txt

 

Scan type: Quick Scan

Objects scanned: 207609

Time elapsed: 45 minute(s), 49 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

Link to comment
Share on other sites

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra \'Tools\' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

 

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

 

 

Reboot the computer.

 

Post back with a new HJT log.

 

 

If there isn't much improvement we'll try a different scanner.

Link to comment
Share on other sites

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra \'Tools\' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

 

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

I fixed all 7 items. Below is an updated log after reboot.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:14:07 PM, on 2/15/2010

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O18 - Filter hijack: text/html - {e7943e01-36a0-4752-8e7f-feee88b4be73} - C:\WINDOWS\mark_32.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Update Service (gupdate1c990acf975a542) (gupdate1c990acf975a542) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

 

--

End of file - 6841 bytes

Link to comment
Share on other sites

The computer is running a lot better. It is a little slow starting up and shutting down. It also takes a bit of time for IE to open. Once it's open it moves pretty quickly when I am browsing.

 

I am wondering if my Trend Micro Antivirus is causing it to be slow. It takes a while for it to load up.

Link to comment
Share on other sites

I am wondering if my Trend Micro Antivirus is causing it to be slow. It takes a while for it to load up.

Good question. Before the infection was TrendMicro acting the same way?

 

I think it best to run another tool, even if nothing is found I think a secure feeling would be nice.

 

 

Download ComboFix from either of these locations:

Link 1

Link 2

 

 

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

 

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

TREND MICRO INTERNET SECURITY 2008

Please refer to these instructions.

  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

 

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

If there are internet issues afterward:

 

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

 

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

 

 

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to comment
Share on other sites

Here is the combofix log. It kept saying at the beginning that my antivirus was active, but I am sure it is disabled.

 

ComboFix 10-02-16.01 - Owner 02/16/2010 19:45:14.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.201 [GMT -7:00]

Running from: c:\documents and settings\Owner.FIRECHEEKS\Desktop\ComboFix.exe

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

/wow section - STAGE 4

'play.lnk' is not recognized as an internal or external command

'Malware' is not recognized as an internal or external command

'play.lnk' is not recognized as an internal or external command

'Malware' is not recognized as an internal or external command

'play.lnk' is not recognized as an internal or external command

'play.lnk' is not recognized as an internal or external command

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Connie Frank\Application Data\.rdr.ini

c:\documents and settings\Kelsey Frank\Application Data\.rdr.ini

c:\documents and settings\Melissa Frank\Application Data\.rdr.ini

c:\program files\Common Files\Companion Wizard

c:\program files\Common Files\Companion Wizard\CompWiz.xml

c:\program files\pasystem

c:\program files\pasystem\support.dat

c:\program files\pasystem\Uninstall.exe

c:\program files\Shared

c:\recycler\S-1-5-21-443811792-3070681350-1748788745-1007

c:\recycler\S-1-5-21-443811792-3070681350-1748788745-1008

c:\recycler\S-1-5-21-443811792-3070681350-1748788745-1010

c:\recycler\S-1-5-21-443811792-3070681350-1748788745-1011

c:\recycler\S-1-5-21-443811792-3070681350-1748788745-500

C:\s

c:\temp\0b9

c:\temp\0b9\tmpTF.log

c:\temp\17o7

c:\temp\17o7\tmpTF.log

c:\temp\tn3

C:\UWA7P

C:\WA6P

c:\windows\EventSystem.log

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\config\49001664.Evt

c:\windows\system32\Data

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\smpi1

c:\windows\system32\SrchSTS.exe

c:\windows\system32\T2

c:\windows\system32\T3

c:\windows\system32\T4

c:\windows\system32\T6

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

 

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected

Restored copy from - c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\qmgr.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ASC3550P

-------\Service_asc3550p

 

 

((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))

.

 

2010-02-14 23:38 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-02-14 23:38 . 2010-02-14 23:38 -------- d-----w- c:\program files\Panda Security

2010-01-31 19:23 . 2010-01-31 19:23 -------- d-----w- c:\documents and settings\Owner.FIRECHEEKS\Application Data\CyberLink

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-28 05:35 . 2007-05-25 04:43 -------- d-----w- c:\documents and settings\Owner.FIRECHEEKS\Application Data\AdobeUM

2010-01-26 04:30 . 2008-09-02 14:13 -------- d-----w- c:\documents and settings\Owner.FIRECHEEKS\Application Data\U3

2010-01-20 02:50 . 2008-10-17 02:53 39 ----a-w- c:\documents and settings\Owner.FIRECHEEKS\jagex_runescape_preferences.dat

2010-01-20 02:48 . 2009-09-05 21:12 69 ----a-w- c:\documents and settings\Owner.FIRECHEEKS\jagex_runescape_preferences2.dat

2010-01-18 17:10 . 2009-05-29 00:41 -------- d-----w- c:\program files\Basic Medical Language, second edition

2010-01-07 23:07 . 2003-09-19 09:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 23:07 . 2003-09-19 09:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-03 23:45 . 2010-01-03 23:45 69380 ---ha-w- c:\windows\system32\mlfcache.dat

2009-12-25 19:34 . 2007-06-03 17:26 -------- d-----w- c:\documents and settings\Owner.FIRECHEEKS\Application Data\Apple Computer

2009-12-25 19:05 . 2009-12-25 19:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-25 19:05 . 2009-12-25 19:03 -------- d-----w- c:\program files\iTunes

2009-12-25 19:04 . 2009-12-25 19:04 -------- d-----w- c:\program files\iPod

2009-12-25 19:04 . 2008-04-27 20:43 -------- d-----w- c:\program files\Common Files\Apple

2009-12-25 18:56 . 2003-12-19 16:37 -------- d-----w- c:\program files\QuickTime

2009-12-25 18:51 . 2008-04-27 20:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple

2009-12-22 05:42 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll

2007-05-24 01:45 . 2007-05-24 01:17 279 ----a-w- c:\program files\Common Files\qukavo705

2007-05-23 20:55 . 2007-05-22 18:45 279 ----a-w- c:\program files\Common Files\qukavo510

2007-05-20 21:29 . 2007-05-16 21:42 279 ----a-w- c:\program files\Common Files\qukavo451

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-17 39408]

"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-03-31 13312]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"nwiz"="nwiz.exe" [2007-09-17 1626112]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-02-01 1398024]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2003-03-31 40960]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]

2002-04-03 08:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-07-01 18:21 133104 ----atw- c:\documents and settings\Owner.FIRECHEEKS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 23:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-01-19 19:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]

2009-10-23 20:11 266888 ----a-w- c:\documents and settings\Owner.FIRECHEEKS\Application Data\Smilebox\SmileboxTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2003-02-13 08:01 155648 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 11:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-02-17 03:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=

"c:\\Program Files\\Microsoft Games\\Combat Flight Simulator 2\\cfs2.icd"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2/14/2010 4:38 PM 28552]

R1 SSHDRV65;SSHDRV65;c:\windows\SYSTEM32\DRIVERS\SSHDRV65.sys [5/24/2007 6:52 PM 120320]

R2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [5/28/2008 9:11 PM 52624]

R2 tmpreflt;tmpreflt;c:\windows\SYSTEM32\DRIVERS\tmpreflt.sys [2/15/2008 11:39 PM 36368]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [2/15/2008 11:39 PM 333328]

R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [5/28/2008 9:13 PM 488768]

R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/28/2008 9:13 PM 648456]

S2 gupdate1c990acf975a542;Google Update Service (gupdate1c990acf975a542);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2009 8:08 PM 133104]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 PCD65X2;PCD65X2;\??\c:\docume~1\OWNER~1.FIR\LOCALS~1\Temp\PCD65X2.sys --> c:\docume~1\OWNER~1.FIR\LOCALS~1\Temp\PCD65X2.sys [?]

S3 PCD65X3;PCD65X3;\??\c:\docume~1\OWNER~1.FIR\LOCALS~1\Temp\PCD65X3.sys --> c:\docume~1\OWNER~1.FIR\LOCALS~1\Temp\PCD65X3.sys [?]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

 

2010-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

 

2010-02-15 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-27 17:11]

 

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 03:08]

 

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 03:08]

 

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-220523388-682003330-1003Core.job

- c:\documents and settings\Owner.FIRECHEEKS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 18:21]

 

2010-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-220523388-682003330-1003UA.job

- c:\documents and settings\Owner.FIRECHEEKS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 18:21]

.

.

------- Supplementary Scan -------

.

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: &Search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-Sonic RecordNow! - (no file)

AddRemove-KB913433 - c:\windows\System32\MacroMed\Flash\genuinst.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-16 20:04

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(920)

c:\windows\System32\ODBC32.dll

c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

 

- - - - - - - > 'lsass.exe'(976)

c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

c:\windows\System32\dssenh.dll

 

- - - - - - - > 'explorer.exe'(2452)

c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\System32\msi.dll

c:\windows\system32\PortableDeviceTypes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Trend Micro\Internet Security\SfCtlCom.exe

c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

c:\program files\Trend Micro\BM\TMBMSRV.exe

c:\windows\BCMSMMSG.exe

.

**************************************************************************

.

Completion time: 2010-02-16 20:18:32 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-17 03:18

 

Pre-Run: 27,159,535,616 bytes free

Post-Run: 27,300,089,856 bytes free

 

winxpsp1_en_hom_bf.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

 

- - End Of File - - 841B1D94F8175E33F905A18CF5B381F0

Link to comment
Share on other sites

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)
Please go to: VirusTotal
  • Posted Image

     

     

  • Click the Browse button and search for the following file: c:\docume~1\OWNER~1.FIR\LOCALS~1\Temp\PCD65X3.sys
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

 

Also please have the next file scanned.

c:\program files\Common Files\qukavo705

c:\program files\Common Files\qukavo510

c:\program files\Common Files\qukavo451

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, so please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

 

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...n=1260122209224

Other available links

Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition

    files.

  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)

    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

files requested scanned

Kaspersky log

New HJT log taken after the above scans have run

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to comment
Share on other sites

c:\docume~1\OWNER~1.FIR\LOCALS~1\Temp\PCD65X3.sys

I cannot locate this one.

 

Here are the scans from virus totat for the other three.

 

I will post Kaspersky in a separate reply.

 

File qukavo705 received on 2010.02.17 03:58:54 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

 

 

Result: 0/40 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 38 and 55 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

 

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

 

 

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.02.17 -

AhnLab-V3 5.0.0.2 2010.02.16 -

AntiVir 8.2.1.170 2010.02.16 -

Antiy-AVL 2.0.3.7 2010.02.17 -

Authentium 5.2.0.5 2010.02.17 -

Avast 4.8.1351.0 2010.02.16 -

AVG 9.0.0.730 2010.02.16 -

BitDefender 7.2 2010.02.17 -

CAT-QuickHeal 10.00 2010.02.17 -

ClamAV 0.96.0.0-git 2010.02.16 -

Comodo 3962 2010.02.17 -

DrWeb 5.0.1.12222 2010.02.17 -

eSafe 7.0.17.0 2010.02.16 -

eTrust-Vet 35.2.7307 2010.02.16 -

F-Prot 4.5.1.85 2010.02.16 -

F-Secure 9.0.15370.0 2010.02.17 -

Fortinet 4.0.14.0 2010.02.15 -

GData 19 2010.02.17 -

Ikarus T3.1.1.80.0 2010.02.17 -

Jiangmin 13.0.900 2010.02.16 -

K7AntiVirus 7.10.974 2010.02.15 -

Kaspersky 7.0.0.125 2010.02.17 -

McAfee 5894 2010.02.16 -

McAfee+Artemis 5894 2010.02.16 -

Microsoft 1.5406 2010.02.17 -

NOD32 4872 2010.02.16 -

Norman 6.04.08 2010.02.16 -

nProtect 2009.1.8.0 2010.02.16 -

Panda 10.0.2.2 2010.02.16 -

PCTools 7.0.3.5 2010.02.16 -

Prevx 3.0 2010.02.17 -

Rising 22.34.01.03 2010.02.11 -

Sophos 4.50.0 2010.02.17 -

Sunbelt 5682 2010.02.17 -

Symantec 20091.2.0.41 2010.02.17 -

TheHacker 6.5.1.4.197 2010.02.17 -

TrendMicro 9.120.0.1004 2010.02.17 -

VBA32 3.12.12.2 2010.02.16 -

ViRobot 2010.2.17.2189 2010.02.17 -

VirusBuster 5.0.21.0 2010.02.16 -

Additional information

File size: 279 bytes

MD5...: 7aaac3d1bbdc702708447c5aaee70639

SHA1..: f3972b642fb1a5c12c5a36d6bf9be8e2162ea950

SHA256: 27b690b8adb6dfd9b3ef3af8298727aaa19bb4c0cf43188f9511ee5f5de668e1

ssdeep: 6:yDqlEn1Sgcj1hU7lfue6KW8M1hiGwXA50CsAklwKF2qTN8JBoDyW:Rlyc8bm35

slwKj8KN

 

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

trid..: Generic INI configuration (100.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

pdfid.: -

 

 

File qukavo510 received on 2010.02.17 04:03:46 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

 

 

Result: 0/40 (0%)

Loading server information...

Your file is queued in position: 2.

Estimated start time is between 46 and 66 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

 

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

 

 

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.02.17 -

AhnLab-V3 5.0.0.2 2010.02.16 -

AntiVir 8.2.1.170 2010.02.16 -

Antiy-AVL 2.0.3.7 2010.02.17 -

Authentium 5.2.0.5 2010.02.17 -

Avast 4.8.1351.0 2010.02.16 -

AVG 9.0.0.730 2010.02.16 -

BitDefender 7.2 2010.02.17 -

CAT-QuickHeal 10.00 2010.02.17 -

ClamAV 0.96.0.0-git 2010.02.16 -

Comodo 3962 2010.02.17 -

DrWeb 5.0.1.12222 2010.02.17 -

eSafe 7.0.17.0 2010.02.16 -

eTrust-Vet 35.2.7307 2010.02.16 -

F-Prot 4.5.1.85 2010.02.16 -

F-Secure 9.0.15370.0 2010.02.17 -

Fortinet 4.0.14.0 2010.02.15 -

GData 19 2010.02.17 -

Ikarus T3.1.1.80.0 2010.02.17 -

Jiangmin 13.0.900 2010.02.16 -

K7AntiVirus 7.10.974 2010.02.15 -

Kaspersky 7.0.0.125 2010.02.17 -

McAfee 5894 2010.02.16 -

McAfee+Artemis 5894 2010.02.16 -

Microsoft 1.5406 2010.02.17 -

NOD32 4872 2010.02.16 -

Norman 6.04.08 2010.02.16 -

nProtect 2009.1.8.0 2010.02.16 -

Panda 10.0.2.2 2010.02.16 -

PCTools 7.0.3.5 2010.02.16 -

Prevx 3.0 2010.02.17 -

Rising 22.34.01.03 2010.02.11 -

Sophos 4.50.0 2010.02.17 -

Sunbelt 5682 2010.02.17 -

Symantec 20091.2.0.41 2010.02.17 -

TheHacker 6.5.1.4.197 2010.02.17 -

TrendMicro 9.120.0.1004 2010.02.17 -

VBA32 3.12.12.2 2010.02.16 -

ViRobot 2010.2.17.2189 2010.02.17 -

VirusBuster 5.0.21.0 2010.02.16 -

Additional information

File size: 279 bytes

MD5...: 7aaac3d1bbdc702708447c5aaee70639

SHA1..: f3972b642fb1a5c12c5a36d6bf9be8e2162ea950

SHA256: 27b690b8adb6dfd9b3ef3af8298727aaa19bb4c0cf43188f9511ee5f5de668e1

ssdeep: 6:yDqlEn1Sgcj1hU7lfue6KW8M1hiGwXA50CsAklwKF2qTN8JBoDyW:Rlyc8bm35

slwKj8KN

 

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

trid..: Generic INI configuration (100.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

pdfid.: -

 

File qukavo451 received on 2010.02.17 04:06:04 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

 

 

Result: 0/40 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 38 and 55 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

 

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

 

 

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.02.17 -

AhnLab-V3 5.0.0.2 2010.02.16 -

AntiVir 8.2.1.170 2010.02.16 -

Antiy-AVL 2.0.3.7 2010.02.17 -

Authentium 5.2.0.5 2010.02.17 -

Avast 4.8.1351.0 2010.02.16 -

AVG 9.0.0.730 2010.02.16 -

BitDefender 7.2 2010.02.17 -

CAT-QuickHeal 10.00 2010.02.17 -

ClamAV 0.96.0.0-git 2010.02.16 -

Comodo 3963 2010.02.17 -

DrWeb 5.0.1.12222 2010.02.17 -

eSafe 7.0.17.0 2010.02.16 -

eTrust-Vet 35.2.7307 2010.02.16 -

F-Prot 4.5.1.85 2010.02.16 -

F-Secure 9.0.15370.0 2010.02.17 -

Fortinet 4.0.14.0 2010.02.15 -

GData 19 2010.02.17 -

Ikarus T3.1.1.80.0 2010.02.17 -

Jiangmin 13.0.900 2010.02.16 -

K7AntiVirus 7.10.974 2010.02.15 -

Kaspersky 7.0.0.125 2010.02.17 -

McAfee 5894 2010.02.16 -

McAfee+Artemis 5894 2010.02.16 -

Microsoft 1.5406 2010.02.17 -

NOD32 4872 2010.02.16 -

Norman 6.04.08 2010.02.16 -

nProtect 2009.1.8.0 2010.02.16 -

Panda 10.0.2.2 2010.02.16 -

PCTools 7.0.3.5 2010.02.16 -

Prevx 3.0 2010.02.17 -

Rising 22.34.01.03 2010.02.11 -

Sophos 4.50.0 2010.02.17 -

Sunbelt 5682 2010.02.17 -

Symantec 20091.2.0.41 2010.02.17 -

TheHacker 6.5.1.4.197 2010.02.17 -

TrendMicro 9.120.0.1004 2010.02.17 -

VBA32 3.12.12.2 2010.02.16 -

ViRobot 2010.2.17.2189 2010.02.17 -

VirusBuster 5.0.21.0 2010.02.16 -

Additional information

File size: 279 bytes

MD5...: 7aaac3d1bbdc702708447c5aaee70639

SHA1..: f3972b642fb1a5c12c5a36d6bf9be8e2162ea950

SHA256: 27b690b8adb6dfd9b3ef3af8298727aaa19bb4c0cf43188f9511ee5f5de668e1

ssdeep: 6:yDqlEn1Sgcj1hU7lfue6KW8M1hiGwXA50CsAklwKF2qTN8JBoDyW:Rlyc8bm35

slwKj8KN

 

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

pdfid.: -

trid..: Generic INI configuration (100.0%)

Link to comment
Share on other sites

good morning.

 

Here is Kaspersky and Hijack this

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, February 17, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, February 17, 2010 01:40:47

Records in database: 3542910

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

E:\

 

Scan statistics:

Objects scanned: 171572

Threats found: 8

Infected objects found: 14

Suspicious objects found: 0

Scan duration: 03:31:23

 

 

File name / Threat / Threats count

C:\Documents and Settings\Connie Frank\My Documents\My Pictures\Screensavers\stormfree.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c 1

C:\Documents and Settings\Connie Frank\My Documents\My Pictures\Screensavers\stormfree.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1

C:\Documents and Settings\Connie Frank\My Documents\My Pictures\Screensavers\stormfree.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2

C:\Documents and Settings\Connie Frank\My Documents\My Pictures\Screensavers\stormfree.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1

C:\Documents and Settings\Connie Frank\My Documents\My Pictures\Screensavers\stormfree.exe Infected: not-a-virus:AdWare.Win32.WebHancer.320 5

C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2F.tmp Infected: Trojan-Downloader.Win32.PurityScan.af 1

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\CONFIG\49001664.Evt.vir Infected: Trojan-Proxy.Win32.Saturn.jt 1

 

Selected area has been scanned.

 

 

Hijack This

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:07:34 AM, on 2/17/2010

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\WgaTray.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Update Service (gupdate1c990acf975a542) (gupdate1c990acf975a542) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

 

--

End of file - 6710 bytes

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...