Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems With Computer


  • This topic is locked This topic is locked
18 replies to this topic

#1 Pompeoca

Pompeoca

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 14 August 2007 - 12:03 PM

I was directed to do a scan...here are the results.... As you read my other postings you will find that I have some issues after following directions...still can't get on to my computer after all that I have done



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:30 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{3E-E5-5E-E4-ZN}] C:\Documents and Settings\Cheryl\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [hory] C:\Program Files\Common Files\hory22011.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7178 bytes

BC AdBot (Login to Remove)

 


#2 Pompeoca

Pompeoca
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 14 August 2007 - 05:55 PM

Hello again,

Can someone please give me a hand with this issue? I also use my pc for business purposes so my "down time" means work is starting to back up. I would sincerely appreciate it.

CP

Edited by Pompeoca, 14 August 2007 - 09:53 PM.


#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 AM

Posted 15 August 2007 - 07:06 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [{3E-E5-5E-E4-ZN}] C:\Documents and Settings\Cheryl\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [hory] C:\Program Files\Common Files\hory22011.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Program Files\Common Files\hory22011.exe

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back into normal mode.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove two of Trend Micro, BitDefender or Symantec/Norton.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#4 Pompeoca

Pompeoca
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 15 August 2007 - 10:52 PM

Hi David... completed task....log file.........

ComboFix 07-08-09.3 - "Cheryl" 2007-08-16 10:36:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.527 [GMT -4:00]


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-16 09:12 1,012 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-13 15:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-12 23:02 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-08-12 22:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-12 22:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-12 22:07 <DIR> d-------- C:\DOCUME~1\Cheryl\APPLIC~1\SUPERAntiSpyware.com
2007-08-12 22:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-12 10:04 <DIR> d-------- C:\DOCUME~1\Cheryl\.housecall6.6
2007-08-12 09:29 <DIR> d-------- C:\WINDOWS\system32\tempchk
2007-08-08 07:37 <DIR> d-------- C:\DOCUME~1\Cheryl\APPLIC~1\Uniblue
2007-08-07 16:30 163,840 --a------ C:\Program Files\Common Files\hory22011.exe
2007-07-31 22:36 <DIR> d-------- C:\DOCUME~1\Cheryl\SmitfraudFix
2007-07-30 21:27 6,016 --a------ C:\WINDOWS\system32\drivers\vnccom.SYS
2007-07-30 21:26 5,760 --a------ C:\WINDOWS\system32\vnchelp.dll
2007-07-30 21:26 4,736 --a------ C:\WINDOWS\system32\drivers\vncdrv.sys
2007-07-30 21:26 12,800 --a------ C:\WINDOWS\system32\vncdrv.dll
2007-07-30 21:26 <DIR> d-------- C:\Program Files\UltraVNC
2007-07-30 17:20 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-29 20:45 <DIR> d-------- C:\DOCUME~1\Jay\APPLIC~1\acccore


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-14 12:41 --------- d-------- C:\Program Files\Trend Micro
2007-08-12 20:01 3766 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-08 07:46 --------- d-------- C:\Program Files\Soulseek
2007-07-28 05:06 135 --a------ C:\Program Files\page.html
2007-07-22 22:07 --------- d-------- C:\Program Files\MSN Messenger
2007-07-20 17:41 56 -r-hs---- C:\WINDOWS\system32\4FF5FCF948.sys
2007-07-13 08:48 --------- d-------- C:\Program Files\Picasa2
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2006-10-09 21:02 251 --a------ C:\Program Files\wt3d.ini


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link Wireless G WDA-1320"="C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2005-12-14 15:56]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"Aim6"="" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cheryl^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Cheryl\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159649591\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nah]
"C:\Documents and Settings\Cheryl\My Documents\?ecurity\m?hta.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
"C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
"C:\DOCUME~1\Cheryl\APPLIC~1\SCURIT~1\chkntfs.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"VSSERV"=2 (0x2)
"Norton Ghost"=2 (0x2)
"LIVESRV"=2 (0x2)
"bdss"=2 (0x2)

R0 iastor;Intel RAID Controller;C:\WINDOWS\system32\drivers\iastor.sys
R1 ELhid;ELhid;C:\WINDOWS\system32\DRIVERS\ELhid.sys
R1 ELkbd;ELkbd;C:\WINDOWS\system32\DRIVERS\ELkbd.sys
R1 ELmon;ELmon;C:\WINDOWS\system32\DRIVERS\ELmon.sys
R1 ELmou;ELmou;C:\WINDOWS\system32\DRIVERS\ELmou.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R2 tm_cfw;Common Firewall Driver;C:\WINDOWS\system32\Drivers\tm_cfw.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\system32\drivers\Tmpreflt.sys
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 ELacpi;ELacpi;C:\WINDOWS\system32\DRIVERS\ELacpi.sys
R3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-08-16 14:04:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 10:37:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-16 10:38:21
C:\ComboFix-quarantined-files.txt ... 2007-08-16 10:38
C:\ComboFix2.txt ... 2007-08-15 23:50
C:\ComboFix3.txt ... 2007-08-13 23:35

--- E O F ---

Edited by Pompeoca, 16 August 2007 - 09:45 AM.


#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 AM

Posted 17 August 2007 - 06:36 AM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\Program Files\Common Files\hory22011.exe

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nah]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#6 Pompeoca

Pompeoca
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 17 August 2007 - 08:26 PM

Ok ..mission accomplished...2 logs enclosed

Kaspersky log ...........

KASPERSKY ONLINE SCANNER REPORT
Friday, August 17, 2007 9:18:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 18/08/2007
Kaspersky Anti-Virus database records: 384765
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 69411
Number of viruses found 23
Number of infected objects 75
Number of suspicious objects 0
Duration of the scan process 00:56:54

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Cheryl\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cheryl\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Cheryl\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Cheryl\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Cheryl\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Cheryl\Desktop\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Cheryl\Desktop\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Cheryl\Desktop\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Documents and Settings\Cheryl\Desktop\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cheryl\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cheryl\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Cheryl\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cheryl\ntuser.dat Object is locked skipped
C:\Documents and Settings\Cheryl\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Cheryl\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11B.tmp Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11E.tmp Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\127.tmp Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\12B.tmp Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\130.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\137.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\139.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\17C.tmp/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bxu skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\17C.tmp/stream Infected: Trojan-Downloader.Win32.Zlob.bxu skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\17C.tmp NSIS: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\17C.tmp CryptFF.b: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1A1.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1C.tmp Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1F.tmp Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\21B.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\23.tmp Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\283.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\284.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2C.tmp Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\355.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\355.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\355.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\358.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\35C.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\360.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\364.tmp Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\381.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\381.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\381.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3E7.tmp Infected: Exploit.Multi.Qtp.b skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\4E.tmp Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\55.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\57.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\5B.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\6C.tmp Infected: Trojan-Downloader.Win32.Zlob.bon skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\88.tmp/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\88.tmp/SystemDoctor2006FreeInstall.cab/USDR6_0001_D08M0404NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\88.tmp/SystemDoctor2006FreeInstall.cab Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\88.tmp CHM: infected - 3 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\88.tmp CryptFF.b: infected - 3 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp NSIS: infected - 3 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp CryptFF.b: infected - 3 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F0.tmp/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bxu skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F0.tmp/stream Infected: Trojan-Downloader.Win32.Zlob.bxu skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F0.tmp NSIS: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F0.tmp CryptFF.b: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\func.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\Z1\vt22011.exe.vir/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\Z1\vt22011.exe.vir NSIS: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000035.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP39\A0005223.exe Infected: Trojan-Downloader.Win32.Zlob.bxg skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0017395.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0017395.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0017418.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0017418.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0017419.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP53\A0024646.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP55\A0025215.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP56\A0025303.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP57\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{AB9DA183-0D40-4D81-B16F-2135C7E238BC}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CDE95569-66DF-4A05-B795-23C294C0A5BF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2413.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.


Hijack this....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:23 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6542 bytes

CP

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 AM

Posted 18 August 2007 - 04:29 AM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Some of the files that are detected by Kaspersky are simply false positives, such as Smitfraudfix and UltraVNC.

Please delete this folder:
C:\QooBox

Please empty the contents of this folders (do not delete them):
C:\Program Files\Trend Micro\Internet Security 12\Quarantine

Go to start and click on the "run" button.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Reboot a final time and let me know how the PC is running. :flowers:

#8 Pompeoca

Pompeoca
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 18 August 2007 - 06:20 AM

Thank you so much. How can I empty without deleting the contents of this folders:
C:\Program Files\Trend Micro\Internet Security 12\Quarantine?

Thanks

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 AM

Posted 18 August 2007 - 08:47 AM

Ok. Click start > run > and copy and paste the following then hit enter:
C:\Program Files\Trend Micro\Internet Security 12\Quarantine

A folder should open. Click edit > select all.
Then hit the delete button on your keyboard. Does that work?

#10 Pompeoca

Pompeoca
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 19 August 2007 - 07:52 AM

OK..I followed all of the above..computer seems to be working well.

I found that when my yahoo messenger program turns on and I click on mail it goes to internet explorer .. originally when I clicked on it.. it used to go to fiefox...which is what I always used..how do I get that backto firefox?
Also on the topic of internet spy ware programs...My Dell came with tend micro( have 2 yrs more years left)...I use free version of AVG 7.5 ..I have super anti spyware installed since I have been on this forum and smitfraud is still on there...So I am confused on what to have ..What are your suggestions ?

Thanks again for your help ....
CP :thumbsup:

Edited by Pompeoca, 19 August 2007 - 07:52 AM.


#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 AM

Posted 19 August 2007 - 02:19 PM

OK..I followed all of the above..computer seems to be working well.

I'm glad to hear, but it still looks as though you have 2 antivirus programs installed - Symantec and Trend. Remember that I do not recommend that you have more than one anti virus product installed and running on your computer at a time. Are you able to get rid of one from add/remove? Do you get any errors when doing so? Besides having 2 antivirus programs installed, your protection looks pretty solid.

Regarding Yahoo messenger, I have no idea at all. Unfortunately I don't have the program installed, and I've never had this problem with a user before. Have a look through the settings menu which should be found from the top row of options within the program, it'll be there somewhere I think. You may need to set Firefox as being the default browser, IE may have reversed this. I'm not sure which version of FF you have, so included both:

Firefox 2: "Tools -> Options -> Main / System Defaults -> Always check to see if Firefox is the default browser on startup -> Check Now"
Firefox 1.5: " Tools -> Options -> General -> Default Browser -> Check Now"

Let me know how you get on.

#12 Pompeoca

Pompeoca
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 19 August 2007 - 03:58 PM

The default browser was the problem...needed to be reset for firefox....Thanks again for all your help . i will keep you posted in the weeks ahead if anything pops up ..

CP

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 AM

Posted 19 August 2007 - 05:28 PM

Glad I could help! :flowers:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.
:thumbsup: If you wish to learn how to use HijackThis to remove malware, you might like to join the Malware Removal Training Program!

If you have any addition questions just ask...
David

#14 Pompeoca

Pompeoca
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Buffalo
  • Local time:09:28 PM

Posted 20 August 2007 - 08:20 AM

Hi David..taking a look at which program I am going to use ...thanks for the input .

Now...I was running my anti spy programs...and I was using avg(i have a free program) and I noticed as it was running a scan what it was picking up...There was alot of med risk programs....and I noticed one high...downloader.zlob.bxg. When it was finished and ready for deleting... zlob.bxg was not on the list . it disappeared from that scan. So what does that mean?

CP

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 AM

Posted 21 August 2007 - 04:16 AM

I would imagine that AVG deleted the file there and then, hence why it was not there at the end of the scan. Inevitably, different scanners pick up different things, and with the way modern infections spew infected files all over the PC, it's more or less impossible to root them all out. There is a way you can check, re-run AVG and see if it flags the file again? If it does then see if it will delete it; if it doesn't make sure you let me know. If it doesn't get flagged again, you can be sure that AVG deleted it. I hope this helps.. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users