Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Gone But Other Spyware Remains, Help!


  • This topic is locked This topic is locked
11 replies to this topic

#1 slothnamedslow

slothnamedslow

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 17 September 2007 - 03:30 PM

About a week ago I noticed that IE's start page had been changed (to MSN), not by my choice. Also IE lost the ability to play videos which required me to re-download active x. Also around that time my virus scanner started giving me lots of "alerts" stating that spyware and some trojans had been quarantined.

Two days ago computer started going completely crazy. Started getting all these popups in IE (Firefox is not affected at all, although IE popups will show up at all times even when IE is not running). Weird icons started showing up on my desktop and dll's are missing.

I've done the following:

Scanned computer with Adaware twice and removed all malicious items (adaware found only about five).
Run the Smitfraud fix; my computer was infected and I did the fix.
Also ran AVG antispy, which found a TON more stuff.
Virus scanned computer which found even more malware. Quite a few of these were running on startup.

Note all of the above were done in regular mode; I haven't done any in safe mode.

Despite all this I am still getting the crazy popups with IE whether IE is running or not, and IE is running EXTREMELY slowly (oh, and start page still keeps going back to MSN). I also seem to have a bunch of things still running at startup because my computer is really "hanging". Virus scan found a bunch of things that were running at startup and supposedly quarrantined them but I am still having issues. Every time I restart my computer I have different icons in the systray. (Legit programs, but I still have no clue why they are there now and they weren't before.) This is making me go crazy! :thumbsup:

Latest HJT log is below. Thanks for any help that can be offered.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:28 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\PdeSrv2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cvlpsaww.dll",forkonce
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\scqyteiq.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 3908 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 18 September 2007 - 04:55 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum slothnamedslow :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.


*NOTE*
If you have previously downloaded ComboFix,please delete that version and download it again from below.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.


Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 slothnamedslow

slothnamedslow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 18 September 2007 - 03:15 PM

Hi Richie! Thanks for helping me with this.

I have installed the new Java.

Here is the Combofix log:

ComboFix 07-09-18.4 - "Minkylina" 2007-09-18 15:58:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\MINKYL~1\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\MINKYL~1\APPLIC~1\WinAntiSpyware 2007 Free
C:\DOCUME~1\MINKYL~1\APPLIC~1\WinAntiSpyware 2007 Free\description.txt
C:\DOCUME~1\MINKYL~1\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\MINKYL~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\000282A3.dat
C:\Program Files\inetget2
C:\Program Files\inetget2\wininstall.exe
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.4\wbuninst.exe
C:\Program Files\web buying\v1.8.4\webbuying.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\awttuss.dll
C:\WINDOWS\system32\btexynlt.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\gfhkj.bak2
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\H2\mccwb2.exe
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nunepru.dll
C:\WINDOWS\system32\qwintldt.exe
C:\WINDOWS\system32\urqqono.dll
C:\WINDOWS\system32\wbtfmdvq.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\wbun.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\ApiMon
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-18 15:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 22:35 <DIR> d-------- C:\Program Files\DellSupport
2007-09-16 22:22 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-16 22:22 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-16 22:22 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-16 16:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-16 16:24 3,370 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-15 20:41 52,754 --a------ C:\WINDOWS\system32\ksdsrngr.exe
2007-09-15 19:45 <DIR> d-------- C:\Program Files\WinAble
2007-09-15 19:41 <DIR> d-------- C:\WINDOWS\system32\GRB3
2007-09-15 19:41 <DIR> d-------- C:\WINDOWS\system32\DLL2
2007-09-15 19:41 <DIR> d-------- C:\WINDOWS\system32\chks2
2007-09-15 19:41 <DIR> d-------- C:\Temp
2007-09-09 13:11 <DIR> d-------- C:\Program Files\Blubster Toolbar
2007-09-09 13:11 <DIR> d-------- C:\Program Files\Blubster
2007-09-06 16:57 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-08-31 21:26 <DIR> d-------- C:\DOCUME~1\MINKYL~1\APPLIC~1\acccore
2007-08-31 21:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-31 21:24 <DIR> d-------- C:\Program Files\AIM6
2007-08-31 21:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-30 23:32 <DIR> d-------- C:\Program Files\iPod
2007-08-30 23:31 <DIR> d-------- C:\Program Files\iTunes
2007-08-30 23:29 <DIR> d-------- C:\Program Files\QuickTime
2007-08-30 23:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-30 23:27 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-30 23:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 22:54 --------- d--h----- C:\DOCUME~1\MINKYL~1\APPLIC~1\Gtek
2007-09-16 16:44 --------- d-------- C:\Program Files\GoogleAFE
2007-09-16 16:44 --------- d-------- C:\Program Files\Google
2007-09-16 16:39 246 --a------ C:\Program Files\Common Files\lavun
2007-09-16 16:23 --------- d-------- C:\Program Files\Winamp
2007-09-16 16:22 --------- d-------- C:\Program Files\Dell
2007-09-13 18:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-09-06 17:10 --------- d-------- C:\DOCUME~1\MINKYL~1\APPLIC~1\uTorrent
2007-09-06 16:37 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-06 16:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-06 16:24 --------- d-------- C:\Program Files\Common Files\Corel
2007-08-30 23:25 --------- d-------- C:\Program Files\Apple Software Update
2006-11-19 20:41:44 56 --sh--r C:\WINDOWS\system32\F08A75CB4C.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 03:02]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-16 22:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"TapiSrv"=3 (0x3)
"SENS"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-09-06 20:49:47 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 16:07:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-18 16:09:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-18 16:09
.
--- E O F ---



and here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:33 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\PdeSrv2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\HijackThis\abc.bat.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 4031 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 18 September 2007 - 04:07 PM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\ksdsrngr.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 slothnamedslow

slothnamedslow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 18 September 2007 - 06:11 PM

Hello Richie

I downloaded Killbox and it's on my desktop, but when I double click on it to try to run it a splash screen pops up that says:

component "MSCOMTL.OCX" or one of its dependencies is not correctly registered: a file is missing or invalid.

I was able to run superantispyware; here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/18/2007 at 06:27 PM

Application Version : 3.9.1008

Core Rules Database Version : 3308
Trace Rules Database Version: 1314

Scan type : Quick Scan
Total Scan Time : 00:41:45

Memory items scanned : 481
Memory threats detected : 0
Registry items scanned : 853
Registry threats detected : 5
File items scanned : 46900
File threats detected : 325

Adware.Tracking Cookie
C:\Documents and Settings\Minkylina\Cookies\minkylina@questionmarket[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www6.addfreestats[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@project1.realtracker[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@entrepreneur[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@emarketmakers[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www.burstnet[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@btg.btgrab[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www.adtrak[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@login.tracking101[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.adbrite[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@drivecleaner[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www.winantispyware[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@go.winantivirus[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@belnk[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adlegend[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.addynamix[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.us.e-planning[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@tribalfusion[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ad.yieldmanager[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@imrworldwide[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@enhance[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@fortunecity[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@fastclick[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@hotlog[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@findwhat[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@msnportal.112.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.k8l[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@atdmt[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@media.adrevolver[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@sexbuddies[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@cc.bridgetrack[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@rambler[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www.incentaclick[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@lynxtrack[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@casalemedia[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@tacoda[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@banners.searchingbooth[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@exitexchange[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@onetruemedia[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@media.adrevolver[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adultfriendfinder[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@qksrv[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@mediametrics.mpsa[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@goclick[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@serving-sys[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@precisionclick[4].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@partypoker[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@server.iad.liveperson[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@dist.belnk[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adsby.zwoops[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@network.rpowermedia[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@mywebsearch[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@list[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@bluestreak[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@anad.tacoda[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@blockbuster.112.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www4.addfreestats[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@advertising[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@offeroptimizer[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@500[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.expedia[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adknowledge[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@winantivirus[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@pch.122.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@harpo.122.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@bs.serving-sys[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.pointroll[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads2.k8l[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.monster[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@cgi-bin[4].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@go.winantispyware[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ath.belnk[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@S133621[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@yadro[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@doubleclick[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@tradedoubler[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@stats.sellmosoft[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@valueclick[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@cpvfeed[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@educationconnection.112.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@spylog[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adrevolver[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adbrite[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@apmebf[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@revenuesense[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www.burstbeacon[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@web-stat[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@burstnet[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@atwola[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@trafficmp[3].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@bestoffersnetworks[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.goyk[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@cnn.122.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@media.top-banners[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@stalkertrack[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@zedo[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@webstat[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adopt.euroclick[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@optimost[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www.googleadservices[5].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@media7.sitebrand[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@hotstat[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@valueclick[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adecn[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@aff.primaryads[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adv.webmd[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@mediatraffic[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adinterax[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@pornotube[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@winantispyware[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@data2.perf.overture[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads3.think-adz[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@247realmedia[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@heavycom.122.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@medhelpinternational.112.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@linksynergy[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@stats1.reliablestats[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@loanweb.112.2o7[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@radprofile[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ad2.adnetinteractive[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ad.bannerconnect[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@pro-market[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@www.googleadservices[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ads.ak.facebook[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@go.winantivirus[1].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@ezzs.valueclick[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@adultsvideoondemand[2].txt
C:\Documents and Settings\Minkylina\Cookies\minkylina@powellsbooks.122.2o7[1].txt
E:\Documents and Settings\Amy\Cookies\amy@a.websponsors[2].txt
E:\Documents and Settings\Amy\Cookies\amy@abbyssh.freestats[1].txt
E:\Documents and Settings\Amy\Cookies\amy@acvs.mediaonenetwork[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ad.yieldmanager[1].txt
E:\Documents and Settings\Amy\Cookies\amy@adknowledge[2].txt
E:\Documents and Settings\Amy\Cookies\amy@admarketplace[2].txt
E:\Documents and Settings\Amy\Cookies\amy@adrevolver[2].txt
E:\Documents and Settings\Amy\Cookies\amy@adrevolver[3].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.addynamix[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.belointeractive[2].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.bridgetrack[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.expedia[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.metcentral[2].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.pointroll[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.realcastmedia[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.realtechnetwork[2].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.searchextreme[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ads.vnuemedia[2].txt
E:\Documents and Settings\Amy\Cookies\amy@adserver.trb[1].txt
E:\Documents and Settings\Amy\Cookies\amy@adultcheck[1].txt
E:\Documents and Settings\Amy\Cookies\amy@apmebf[2].txt
E:\Documents and Settings\Amy\Cookies\amy@as-eu.falkag[2].txt
E:\Documents and Settings\Amy\Cookies\amy@as-us.falkag[1].txt
E:\Documents and Settings\Amy\Cookies\amy@as1.falkag[1].txt
E:\Documents and Settings\Amy\Cookies\amy@ath.belnk[2].txt
E:\Documents and Settings\Amy\Cookies\amy@atwola[1].txt
E:\Documents and Settings\Amy\Cookies\amy@bannerads[1].txt
E:\Documents and Settings\Amy\Cookies\amy@banner[1].txt
E:\Documents and Settings\Amy\Cookies\amy@belnk[1].txt
E:\Documents and Settings\Amy\Cookies\amy@bizrate[1].txt
E:\Documents and Settings\Amy\Cookies\amy@bluestreak[2].txt
E:\Documents and Settings\Amy\Cookies\amy@bs.serving-sys[2].txt
E:\Documents and Settings\Amy\Cookies\amy@c3.gostats[2].txt
E:\Documents and Settings\Amy\Cookies\amy@citi.bridgetrack[2].txt
E:\Documents and Settings\Amy\Cookies\amy@clickability[1].txt
E:\Documents and Settings\Amy\Cookies\amy@counter.auctionworks[1].txt
E:\Documents and Settings\Amy\Cookies\amy@counter2.hitslink[2].txt
E:\Documents and Settings\Amy\Cookies\amy@couplesseduceteens[1].txt
E:\Documents and Settings\Amy\Cookies\amy@creativeby.viewpoint[2].txt
E:\Documents and Settings\Amy\Cookies\amy@cz3.clickzs[2].txt
E:\Documents and Settings\Amy\Cookies\amy@cz4.clickzs[2].txt
E:\Documents and Settings\Amy\Cookies\amy@cz6.clickzs[1].txt
E:\Documents and Settings\Amy\Cookies\amy@cz7.clickzs[2].txt
E:\Documents and Settings\Amy\Cookies\amy@cz8.clickzs[2].txt
E:\Documents and Settings\Amy\Cookies\amy@dhdmedia[2].txt
E:\Documents and Settings\Amy\Cookies\amy@dist.belnk[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfk4qgdpmkp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfkiojd5aap.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfkiwod5wko.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfkocpdjwgo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfkoggczofp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfkoknc5aep.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfkoohcpweo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfkywmdzkep.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfl4omcjabq.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wflicpazclo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfliemdpgbo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfliugajccp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfloelc5mko.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wflokgcpcbq.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wfmyokcjsko.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wgkygmd5geo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjk4qpcpoko.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjk4sgdjwao.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjk4sldjweq.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjk4woazifo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkokld5ado.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkookczobo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkoopazigo.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkosgdzkdo.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkoshc5meo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkoumazggp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkyeiczocq.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkygjazwao.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkyqidzigq.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjkyqpcjmbo.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjl4spdzmao.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjlienajmdp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjligiczaao.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjliojdpkep.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjloumdzkhp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjlysjd5sco.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjlyskazgfp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjmikhcjclo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjmysmc5aeo.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjny-1gazse.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjny-1gdpce.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjny-1gdzkg.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjny-1iczsb.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjny-1jdpeg.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjny-1mcjof.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjny-1pajkg.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyagdjocq.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyandjohp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnycndjkdo.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyegdjwho.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyekc5ogo.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyend5wdo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyomaziko.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyomczgdp.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyqicpsao.stats.esomniture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyqnajieo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyslazsgo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyumdpmbo.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@e-2dj6wjnyupczobq.stats.esomniture[2].txt
E:\Documents and Settings\Amy\Cookies\amy@edge.ru4[2].txt
E:\Documents and Settings\Amy\Cookies\amy@ehg-bcstore.hitbox[2].txt
E:\Documents and Settings\Amy\Cookies\amy@ehg-legacy.hitbox[2].txt
E:\Documents and Settings\Amy\Cookies\amy@ehg-playboy.hitbox[2].txt
E:\Documents and Settings\Amy\Cookies\amy@ehg-traderelectronicmedia.hitbox[2].txt
E:\Documents and Settings\Amy\Cookies\amy@exitexchange[1].txt
E:\Documents and Settings\Amy\Cookies\amy@fastclick[1].txt
E:\Documents and Settings\Amy\Cookies\amy@focalex[1].txt
E:\Documents and Settings\Amy\Cookies\amy@gostats[1].txt
E:\Documents and Settings\Amy\Cookies\amy@hitbox[1].txt
E:\Documents and Settings\Amy\Cookies\amy@i.screensavers[1].txt
E:\Documents and Settings\Amy\Cookies\amy@icc.intellisrv[1].txt
E:\Documents and Settings\Amy\Cookies\amy@image.masterstats[1].txt
E:\Documents and Settings\Amy\Cookies\amy@interclick[2].txt
E:\Documents and Settings\Amy\Cookies\amy@itnnetmedia[2].txt
E:\Documents and Settings\Amy\Cookies\amy@kanoodle[1].txt
E:\Documents and Settings\Amy\Cookies\amy@m1.webstats4u[1].txt
E:\Documents and Settings\Amy\Cookies\amy@maxserving[1].txt
E:\Documents and Settings\Amy\Cookies\amy@mediaonenetwork[1].txt
E:\Documents and Settings\Amy\Cookies\amy@mediaplex[2].txt
E:\Documents and Settings\Amy\Cookies\amy@monster.gostats[2].txt
E:\Documents and Settings\Amy\Cookies\amy@nextag[2].txt
E:\Documents and Settings\Amy\Cookies\amy@partner2profit[2].txt
E:\Documents and Settings\Amy\Cookies\amy@partners.webmasterplan[1].txt
E:\Documents and Settings\Amy\Cookies\amy@partypoker[2].txt
E:\Documents and Settings\Amy\Cookies\amy@perf.overture[1].txt
E:\Documents and Settings\Amy\Cookies\amy@phg.hitbox[2].txt
E:\Documents and Settings\Amy\Cookies\amy@pornaccess[2].txt
E:\Documents and Settings\Amy\Cookies\amy@pornstarbucks[1].txt
E:\Documents and Settings\Amy\Cookies\amy@qksrv[2].txt
E:\Documents and Settings\Amy\Cookies\amy@qnsr[1].txt
E:\Documents and Settings\Amy\Cookies\amy@questionmarket[1].txt
E:\Documents and Settings\Amy\Cookies\amy@realmedia[1].txt
E:\Documents and Settings\Amy\Cookies\amy@redorbit[2].txt
E:\Documents and Settings\Amy\Cookies\amy@revsci[1].txt
E:\Documents and Settings\Amy\Cookies\amy@roiservice[1].txt
E:\Documents and Settings\Amy\Cookies\amy@sel.as-eu.falkag[1].txt
E:\Documents and Settings\Amy\Cookies\amy@serving-sys[1].txt
E:\Documents and Settings\Amy\Cookies\amy@sexydreamgirls[1].txt
E:\Documents and Settings\Amy\Cookies\amy@starware[2].txt
E:\Documents and Settings\Amy\Cookies\amy@statcounter[1].txt
E:\Documents and Settings\Amy\Cookies\amy@stats1.reliablestats[2].txt
E:\Documents and Settings\Amy\Cookies\amy@stats24[1].txt
E:\Documents and Settings\Amy\Cookies\amy@statse.webtrendslive[2].txt
E:\Documents and Settings\Amy\Cookies\amy@superstats[1].txt
E:\Documents and Settings\Amy\Cookies\amy@tacoda[2].txt
E:\Documents and Settings\Amy\Cookies\amy@tgp.xxxkey[1].txt
E:\Documents and Settings\Amy\Cookies\amy@toplist[1].txt
E:\Documents and Settings\Amy\Cookies\amy@tradedoubler[2].txt
E:\Documents and Settings\Amy\Cookies\amy@trafficmp[2].txt
E:\Documents and Settings\Amy\Cookies\amy@tripod[1].txt
E:\Documents and Settings\Amy\Cookies\amy@valueclick[1].txt
E:\Documents and Settings\Amy\Cookies\amy@valueclick[2].txt
E:\Documents and Settings\Amy\Cookies\amy@webpower[1].txt
E:\Documents and Settings\Amy\Cookies\amy@windowsmedia[1].txt
E:\Documents and Settings\Amy\Cookies\amy@www.burstbeacon[1].txt
E:\Documents and Settings\Amy\Cookies\amy@www.entrepreneur[1].txt
E:\Documents and Settings\Amy\Cookies\amy@www.etracker[2].txt
E:\Documents and Settings\Amy\Cookies\amy@www.matureporno[1].txt
E:\Documents and Settings\Amy\Cookies\amy@www.mediainfo[1].txt
E:\Documents and Settings\Amy\Cookies\amy@www.pornfidelity[1].txt
E:\Documents and Settings\Amy\Cookies\amy@www.redorbit[2].txt
E:\Documents and Settings\Amy\Cookies\amy@www.screensavers[1].txt
E:\Documents and Settings\Amy\Cookies\amy@www.xxxvogue[2].txt
E:\Documents and Settings\Amy\Cookies\amy@xiti[1].txt
E:\Documents and Settings\Amy\Cookies\amy@yieldmanager[1].txt
E:\Documents and Settings\Amy\Cookies\amy@z1.adserver[1].txt
E:\Documents and Settings\Amy\Cookies\amy@zedo[2].txt

Unclassified.Unknown Origin
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\Programmable
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\TypeLib
C:\DOCUMENTS AND SETTINGS\MINKYLINA\DESKTOP\BACKUPS\BACKUP-20070916-164404-754.DLL
C:\DOCUMENTS AND SETTINGS\MINKYLINA\DESKTOP\BACKUPS\BACKUP-20070916-164404-938.DLL

Adware.ZenoSearch-NVON
C:\WINDOWS\SYSTEM32\KSDSRNGR.EXE
C:\DOCUMENTS AND SETTINGS\MINKYLINA\DESKTOP\BACKUPS\BACKUP-20070916-164405-229-TA_START.LNK
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DWDSRNGT.EXE.VIR

Trojan.Downloader-Gen/HitItQuitIt
C:\DOCUMENTS AND SETTINGS\MINKYLINA\DESKTOP\BACKUPS\BACKUP-20070916-164405-406.DLL

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.4\WBUNINST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.4\WEBBUYING.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\H2\MCCWB2.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\WBUN.EXE.VIR

Adware.eZula
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BTEXYNLT.EXE.VIR

Trojan.ZenoSearch
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QWINTLDT.EXE.VIR

Adware.ClearSearch
E:\PROGRAM FILES\42JHVZDU\66644896.EXE
E:\PROGRAM FILES\42JHVZDU\81187518.EXE
E:\PROGRAM FILES\42JHVZDU\9GYTSK2W.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP479\A0060322.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP479\A0060323.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP479\A0060324.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP479\A0060325.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP479\A0060329.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP479\A0060330.DLL

Adware.Viewpoint Toolbar
E:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL


Also, here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:57 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\PdeSrv2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\HijackThis\abc.bat.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 4299 bytes


My pc is running quite a bit better than it was. I was able to set the homepage on IE back to google (what it was before) and it hasn't been changed, and no popups from IE whether it's running or not so far. Performance of both IE and Firefox is much faster. Startup is still a tad slow but much faster than it was before. The last few times I started (save for the time combofix restarted my computer for me, which was the very last time), I received a splash screen telling me the following dll was missing: C:/WINDOWS/system32/cvlpsaww.dll.

I'm not sure if that's still the case as I've not restarted since then but overall, computer performance is much improved over the last 24 hours! :thumbsup:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 18 September 2007 - 06:28 PM

I downloaded Killbox and it's on my desktop, but when I double click on it to try to run it a splash screen pops up that says:
component "MSCOMTL.OCX" or one of its dependencies is not correctly registered: a file is missing or invalid.

Download this file to your 'System32' folder then rerun the Killbox instructions:
http://www.boletrice.com/downloads/mscomctl.ocx

I received a splash screen telling me the following dll was missing: C:/WINDOWS/system32/cvlpsaww.dll.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemOptimizer"=-

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Let me know how your pc is running now please.
Posted Image
Posted Image

#7 slothnamedslow

slothnamedslow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 18 September 2007 - 07:15 PM

Download this file to your 'System32' folder then rerun the Killbox instructions:
http://www.boletrice.com/downloads/mscomctl.ocx


I downloaded this file to the System 32 folder, and verified that it was there, but I still cannot run Killbox; I am getting the same error. I checked the System 32 folder and the mscomctl.ocx file was downloaded at 7:40 p.m. I then restarted to see if Killbox would work, and it didn't, and there is another file in the System 32 folder called wpa.dbl that appeared at 7:57 p.m.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemOptimizer"=-


I did not run this portion because on my last three restarts after I ran combofix (and after I posted the last message to you), I have not received a message stating that dll is missing; not sure if combofix corrected that. Please let me know if I should still do this step.



Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Let me know how your pc is running now please.


Did this and ran per your instructions. I love the toilet flushing noise it makes! :blink: Cleanup told me that it was running in trial mode or some such thing; it showed me a list of all the things it "cleaned" but did not delete them, and said if I ran in regular mode I could delete these files. (As I said, I follwed all instructions, and this is what it told me). Should I run again and delete, or no? A lot of the files looked like cookies, but there were others.

PC is running quite well now! Startup a lot faster, browsers loading faster, no popupus, etc. I am so pleased!!!! :wacko: :) :) :thumbsup:

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 18 September 2007 - 07:57 PM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Find and delete if present:
C:\WINDOWS\system32\ksdsrngr.exe

If the above file is present but it won't allow you to delete it,try in Safe Mode:
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Restart normally when you've done.

Run CleanUp again and delete everything it lists.

Let me know how you got on.
Posted Image
Posted Image

#9 slothnamedslow

slothnamedslow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 19 September 2007 - 04:27 PM

Hi Richie,

The C:\WINDOWS\system32\ksdsrngr.exe file is not on my computer, so I did not need to delete it.

I ran Cleanup again, and deleted the files. Computer is running wicked well now! Let me know if there is anything else I should be doing. If not, I thank you so much for all your assistance! I am so happy that you were able to help me.

Besides running my antivirus as I normally do, should I be running anything else (ie superantispyware, or all the other programs we did, which are still installed) on a weekly/whatever basis?

Thanks! :thumbsup:

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 19 September 2007 - 05:43 PM

Your log is clean :thumbsup:
If all's ok,please do the following.
Find and delete:
fix.reg
Combofix.exe
KillBox.exe

C:\qoobox
C:\!KillBox

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#11 slothnamedslow

slothnamedslow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 20 September 2007 - 03:47 PM

Thanks again for all your help. I did the last steps noted above and have bookmarked and am reading the link you recommended.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 20 September 2007 - 05:22 PM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users