Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winshow And Webbuying Problem


  • Please log in to reply
10 replies to this topic

#1 MichaelH

MichaelH

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 18 October 2007 - 01:29 PM

Hi, my mothers computer is infected and she is freaking out without her internet. I have:

1. run spybotSD and AdAware in both regular and safe mode (updated and immunized).
2. run AvastAV in regular and at boot time.
3. run SuperAntiSpyware.

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:44 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\winshow.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\hjakThsscanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {01abded4-b194-4401-bead-e526f65a49e5} - C:\WINDOWS\system32\dvgpwht.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {2DA54036-41EA-48F5-8745-96F6B948D7BD} - C:\Program Files\Windows Media Player\holesuguqC:\WINDOWS\SYSTEM32\cap1\dode83122.exe.dll (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\qbsbglmq.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rhwgbbjt.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\xxyaxut.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rhwgbbjt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\bfloxhyn.dll",sitypnow
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rhwgbbjt - C:\WINDOWS\SYSTEM32\rhwgbbjt.dll
O20 - Winlogon Notify: xxyaxut - C:\WINDOWS\SYSTEM32\xxyaxut.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O24 - Desktop Component 0: (no name) - http://www.harvardsquarelibrary.org/unitar.../background.gif
O24 - Desktop Component 1: (no name) - http://http.earthcache.net/SSVC005186.oc.e...s/chudleigh.jpg
O24 - Desktop Component 2: (no name) - http://www.si.umich.edu/Space/browser/Space/jupi/jupiter.gif
O24 - Desktop Component 3: (no name) - http://www.physicsclassroom.com/images/banner_right.gif

--
End of file - 8099 bytes



SUPERANTISPYWARE LOG

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/18/2007 at 12:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:34:02

Memory items scanned : 374
Memory threats detected : 2
Registry items scanned : 4633
Registry threats detected : 17
File items scanned : 36704
File threats detected : 37

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\GEEBY.DLL
C:\WINDOWS\SYSTEM32\GEEBY.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A5D6559-94B5-4A8C-B050-309573ED9E37}
HKCR\CLSID\{1A5D6559-94B5-4A8C-B050-309573ED9E37}
HKCR\CLSID\{1A5D6559-94B5-4A8C-B050-309573ED9E37}\InprocServer32
HKCR\CLSID\{1A5D6559-94B5-4A8C-B050-309573ED9E37}\InprocServer32#ThreadingModel

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\QBSBGLMQ.DLL
C:\WINDOWS\SYSTEM32\QBSBGLMQ.DLL

Adware.Tracking Cookie
C:\Documents and Settings\jill\cookies\jill@partner2profit[1].txt
C:\Documents and Settings\jill\cookies\jill@2o7[2].txt
C:\Documents and Settings\jill\cookies\jill@advertstream[2].txt
C:\Documents and Settings\jill\cookies\jill@atdmt[2].txt
C:\Documents and Settings\jill\cookies\jill@adbrite[1].txt
C:\Documents and Settings\jill\cookies\jill@anad.tacoda[1].txt
C:\Documents and Settings\jill\cookies\jill@media.adrevolver[2].txt
C:\Documents and Settings\jill\cookies\jill@clicksor[1].txt
C:\Documents and Settings\jill\cookies\jill@sexbuddies[2].txt
C:\Documents and Settings\jill\cookies\jill@xiti[1].txt
C:\Documents and Settings\jill\cookies\jill@adrevolver[1].txt
C:\Documents and Settings\jill\cookies\jill@tacoda[2].txt
C:\Documents and Settings\jill\cookies\jill@trafficmp[1].txt
C:\Documents and Settings\jill\cookies\jill@adsrevenue[2].txt
C:\Documents and Settings\jill\cookies\jill@advertising[1].txt
C:\Documents and Settings\jill\cookies\jill@realmedia[2].txt
C:\Documents and Settings\jill\cookies\jill@adopt.specificclick[1].txt
C:\Documents and Settings\jill\cookies\jill@stats2.reliablestats[2].txt
C:\Documents and Settings\jill\cookies\jill@ads.pointroll[2].txt
C:\Documents and Settings\jill\cookies\jill@zedo[2].txt
C:\Documents and Settings\jill\cookies\jill@atwola[1].txt
C:\Documents and Settings\jill\cookies\jill@revsci[2].txt
C:\Documents and Settings\jill\cookies\jill@ads.adbrite[2].txt
C:\Documents and Settings\jill\cookies\jill@toplist[1].txt
C:\Documents and Settings\jill\cookies\jill@statsgod[2].txt
C:\Documents and Settings\jill\cookies\jill@fastclick[1].txt
C:\Documents and Settings\jill\cookies\jill@serving-sys[2].txt
C:\Documents and Settings\jill\cookies\jill@doubleclick[1].txt
C:\Documents and Settings\jill\cookies\jill@ar.atwola[1].txt
C:\Documents and Settings\jill\cookies\jill@edge.ru4[1].txt
C:\Documents and Settings\jill\cookies\jill@bs.serving-sys[1].txt
C:\Documents and Settings\jill\cookies\jill@precisionclick[1].txt

Trojan.Spyware Stormer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\Contains\Files#C:\WINDOWS\Downloaded Program Files\Install.dll
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\DownloadInformation#INF
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\InstalledVersion#LastModified

Adware.Web Buying
HKU\S-1-5-21-19272783-1081834574-1454861426-1007\Software\WebBuying

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 ]

Adware.ClickSpring/Yazzle
C:\DOCUMENTS AND SETTINGS\JILL\LOCAL SETTINGS\TEMP\YAZZLEBUNDLE-1549.EXE
C:\WINDOWS\PREFETCH\YAZZLE1549OINADMIN.EXE-0C086C08.PF
C:\WINDOWS\PREFETCH\YAZZLEBUNDLE-1549.EXE-25D96D24.PF



Thanks,
~Mike~

BC AdBot (Login to Remove)

 


m

#2 MichaelH

MichaelH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 18 October 2007 - 01:33 PM

Also, I'm flopping the logs with a memory stick to my laptop as I do not want to hook mom's PC up to my network and compromise my own security.
All scanners are updated as of 2 days ago, with the exception of SAS, which I downloaded last night but have not updated.

I have also enabled hidden files and extensions as well as disabling system restore.

I have not run any online scans, but Avast has been pretty good to me in the past.

I've posted to other forums and thought that I had done all the prelimanary things... didn't notice that you folks wanted me to install firewall and mcafee stinger.
I will do this if necessary, but this PC isn't all that infected as far as I can see it just has a couple real nasties on it.

I had intended on putting zonealarm on mom's PC as soon as it is clean, ZA runs on all my computers even though people tell me I don't need it with a router.

Edited by MichaelH, 18 October 2007 - 01:45 PM.


#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 03:10 AM

Hi Michael and Welcome to the Bleeping Computer!


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#4 MichaelH

MichaelH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 20 October 2007 - 11:05 AM

Hi Cretemonster, thanks for helping me.

when I started combofix, the work offline window popped up telling me "no connection to the internet". I intentionally do not have it connected to my router, do I need to for combofix to work right? proceeded anyway:

combofix rebooted machine then it's window said "please do not start any programs" and SAS autostarted along with my other start programs

Also, 4 Avast mail scanner warnings came up "Avast mail scanner can not protect..."

logs as follows:

COMBOFIX


ComboFix 07-10-20.6 - jill 2007-10-20 11:47:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.237 [GMT -4:00]
Running from: C:\Documents and Settings\jill\Desktop\ToolsForMom\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\jill\Desktop\Live Safety Center.lnk
C:\Documents and Settings\jill\Desktop\Live Safety Center.lnk
C:\Documents and Settings\jill\Desktop\Live Safety Center.lnk
C:\Documents and Settings\jill\Desktop\Online Security Guide.lnk
C:\Documents and Settings\jill\Desktop\Online Security Guide.lnk
C:\Documents and Settings\jill\Desktop\Online Security Guide.lnk
C:\Documents and Settings\jill\Favorites\Online Security Guide.lnk
c:\documents and settings\jill\favorites\Online Security Guide.lnk
C:\Documents and Settings\jill\Favorites\Online Security Guide.lnk
C:\Program Files\Hammer.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bfloxhyn.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\dvgpwht.dll
C:\WINDOWS\system32\iidhlcmw.exe
C:\WINDOWS\SYSTEM32\nyhxolfb.ini
C:\WINDOWS\system32\osmim.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\rhwgbbjt.dll
C:\WINDOWS\system32\rhwgbbjt.dll
C:\WINDOWS\system32\rhwgbbjt.dllbox
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xxyaxut.dll
C:\WINDOWS\system32\xxyaxut.dll
C:\WINDOWS\SYSTEM32\ybeeg.bak1
C:\WINDOWS\SYSTEM32\ybeeg.bak1
C:\WINDOWS\SYSTEM32\ybeeg.bak2
C:\WINDOWS\SYSTEM32\ybeeg.bak2
C:\WINDOWS\SYSTEM32\ybeeg.ini2
C:\WINDOWS\SYSTEM32\ybeeg.ini2
C:\WINDOWS\SYSTEM32\ybeeg.tmp
C:\WINDOWS\SYSTEM32\ybeeg.tmp
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FAD
-------\LEGACY_NPF
-------\nm
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-20 11:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 13:51 <DIR> d-------- C:\WINDOWS\pss
2007-10-18 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-18 12:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-18 12:11 <DIR> d-------- C:\Documents and Settings\jill\Application Data\SUPERAntiSpyware.com
2007-10-18 12:11 <DIR> d-------- C:\Documents and Settings\jill\Application Data\SUPERAntiSpyware.com
2007-10-18 12:11 <DIR> d-------- C:\Documents and Settings\jill\Application Data\SUPERAntiSpyware.com
2007-10-18 12:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-16 16:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\pod2
2007-10-16 16:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\cap1
2007-10-16 16:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\bib1
2007-10-16 16:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\oTt08e
2007-10-16 16:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\bco2
2007-10-16 16:37 <DIR> d-------- C:\Temp
2007-10-16 16:37 424,327 --a------ C:\Temp\cilo.exe
2007-10-16 16:36 35,840 --a------ C:\WINDOWS\tsitra77.exe
2007-10-15 17:04 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-10-15 17:04 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-10-15 17:04 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-10-15 17:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-15 17:03 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-10-15 17:03 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-10-15 17:03 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-10-15 17:03 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-10-15 16:27 <DIR> d-------- C:\Program Files\Yamicsoft
2007-10-15 16:17 <DIR> d-------- C:\Program Files\CCleaner
2007-10-14 15:31 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-14 10:51 <DIR> d-------- C:\Program Files\DellSupport

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 16:39 --------- d-----w C:\Program Files\Real
2007-10-15 21:27 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-10-15 20:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 20:05 --------- d-----w C:\Program Files\Google
2007-10-14 15:11 --------- d--h--w C:\Documents and Settings\jill\Application Data\GTek
2007-10-14 15:11 --------- d--h--w C:\Documents and Settings\jill\Application Data\GTek
2007-10-14 15:11 --------- d--h--w C:\Documents and Settings\jill\Application Data\GTek
2006-03-25 21:39 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA54036-41EA-48F5-8745-96F6B948D7BD}]
C:\Program Files\Windows Media Player\holesuguqC:\WINDOWS\SYSTEM32\cap1\dode83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-22 00:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-22 00:44]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-22 05:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-18 13:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"C:_Program Files_WordPerfe3a"="C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe" [2003-03-07 06:58]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-01-22 05:00:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 11:57:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-20 11:59:13 - machine was rebooted
.
--- E O F ---




HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:40 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\HijackThis\hjakThsscanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {2DA54036-41EA-48F5-8745-96F6B948D7BD} - C:\Program Files\Windows Media Player\holesuguqC:\WINDOWS\SYSTEM32\cap1\dode83122.exe.dll (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O24 - Desktop Component 0: (no name) - http://www.harvardsquarelibrary.org/unitar.../background.gif
O24 - Desktop Component 1: (no name) - http://http.earthcache.net/SSVC005186.oc.e...s/chudleigh.jpg
O24 - Desktop Component 2: (no name) - http://www.si.umich.edu/Space/browser/Space/jupi/jupiter.gif
O24 - Desktop Component 3: (no name) - http://www.physicsclassroom.com/images/banner_right.gif

--
End of file - 6949 bytes

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 11:15 AM

Nice progress,dont worry about the encounters you had during the ComboFix run,those are all perfectly normal,hopefully after this run,some sanity will be restored to the machine. :thumbsup:


Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\tsitra77.exe
Folder::
C:\WINDOWS\SYSTEM32\pod2
C:\WINDOWS\SYSTEM32\cap1
C:\WINDOWS\SYSTEM32\bib1
C:\WINDOWS\SYSTEM32\oTt08e
C:\WINDOWS\SYSTEM32\bco2
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA54036-41EA-48F5-8745-96F6B948D7BD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

#6 MichaelH

MichaelH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 20 October 2007 - 11:48 AM

Done...
My plan for when this is complete is:

1) Install ZoneAlarm
2) Update JRE

Is there anything else you would suggest, I have SuperAntiSpyware on there now, along with Avast and I have immunized with Spybot. Windows has been updated, but I will do so again once this is clean.

COMBOFIX

ComboFix 07-10-20.6 - jill 2007-10-20 12:35:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -4:00]
Running from: C:\Documents and Settings\jill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jill\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\tsitra77.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\cilo.exe
C:\WINDOWS\SYSTEM32\bco2
C:\WINDOWS\SYSTEM32\bib1
C:\WINDOWS\SYSTEM32\bib1\rwv12drvr.exe
C:\WINDOWS\SYSTEM32\cap1
C:\WINDOWS\SYSTEM32\cap1\dode83122.exe
C:\WINDOWS\SYSTEM32\oTt08e
C:\WINDOWS\SYSTEM32\oTt08e\oTt08e1099.exe
C:\WINDOWS\SYSTEM32\pod2
C:\WINDOWS\tsitra77.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-20 11:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 13:51 <DIR> d-------- C:\WINDOWS\pss
2007-10-18 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-18 12:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-18 12:11 <DIR> d-------- C:\Documents and Settings\jill\Application Data\SUPERAntiSpyware.com
2007-10-18 12:11 <DIR> d-------- C:\Documents and Settings\jill\Application Data\SUPERAntiSpyware.com
2007-10-18 12:11 <DIR> d-------- C:\Documents and Settings\jill\Application Data\SUPERAntiSpyware.com
2007-10-18 12:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 17:04 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-10-15 17:04 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-10-15 17:04 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-10-15 17:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-15 17:03 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-10-15 17:03 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-10-15 17:03 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-10-15 17:03 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-10-15 16:27 <DIR> d-------- C:\Program Files\Yamicsoft
2007-10-15 16:17 <DIR> d-------- C:\Program Files\CCleaner
2007-10-14 15:31 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-14 10:51 <DIR> d-------- C:\Program Files\DellSupport

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 16:39 --------- d-----w C:\Program Files\Real
2007-10-15 21:27 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-10-15 20:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 20:05 --------- d-----w C:\Program Files\Google
2007-10-14 15:11 --------- d--h--w C:\Documents and Settings\jill\Application Data\GTek
2007-10-14 15:11 --------- d--h--w C:\Documents and Settings\jill\Application Data\GTek
2007-10-14 15:11 --------- d--h--w C:\Documents and Settings\jill\Application Data\GTek
2007-08-22 12:55 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 19:34 3,584,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-13 22:54 413,696 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2007-08-13 22:54 413,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2007-08-13 22:54 33,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-08-13 22:54 191,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS\SYSTEM32\msls31.dll
2007-08-13 22:54 156,160 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msls31.dll
2007-08-13 22:45 78,336 ----a-w C:\WINDOWS\SYSTEM32\ieencode.dll
2007-08-13 22:45 78,336 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieencode.dll
2007-08-13 22:44 69,120 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-08-13 22:44 40,960 ----a-w C:\WINDOWS\SYSTEM32\licmgr10.dll
2007-08-13 22:44 40,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\licmgr10.dll
2007-08-13 22:42 17,408 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\corpol.dll
2007-08-13 22:39 92,672 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-08-13 22:39 71,680 ----a-w C:\WINDOWS\SYSTEM32\admparse.dll
2007-08-13 22:39 71,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\admparse.dll
2007-08-13 22:39 55,296 ----a-w C:\WINDOWS\SYSTEM32\iesetup.dll
2007-08-13 22:39 55,296 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iesetup.dll
2007-08-13 22:38 491,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-08-13 22:36 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-13 22:36 36,352 ----a-w C:\WINDOWS\SYSTEM32\imgutil.dll
2007-08-13 22:36 36,352 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\imgutil.dll
2007-08-13 22:35 346,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-08-13 22:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\mshta.exe
2007-08-13 22:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshta.exe
2007-08-13 22:18 60,416 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\hmmapi.dll
2007-08-13 22:01 48,128 ----a-w C:\WINDOWS\SYSTEM32\mshtmler.dll
2007-08-13 22:01 48,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmler.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2006-03-25 21:39 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-22 00:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-22 00:44]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-22 05:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-18 13:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"C:_Program Files_WordPerfe3a"="C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe" [2003-03-07 06:58]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-01-22 05:00:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 12:37:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-20 12:38:33
C:\ComboFix2.txt ... 2007-10-20 11:59
.
--- E O F ---


HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:06 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\hjakThsscanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O24 - Desktop Component 0: (no name) - http://www.harvardsquarelibrary.org/unitar.../background.gif
O24 - Desktop Component 1: (no name) - http://http.earthcache.net/SSVC005186.oc.e...s/chudleigh.jpg
O24 - Desktop Component 2: (no name) - http://www.si.umich.edu/Space/browser/Space/jupi/jupiter.gif
O24 - Desktop Component 3: (no name) - http://www.physicsclassroom.com/images/banner_right.gif

--
End of file - 6643 bytes


Thank You Very Much :thumbsup:

#7 MichaelH

MichaelH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 20 October 2007 - 11:49 AM

oh yea, I'll run CCleaner and ATF cleaner as well.

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 12:19 PM

Avast and ZoneAlarm Free are a very nice combination for free if you ask me. :thumbsup:

After running the temp file cleaners,please rebbot the machine fresh.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#9 MichaelH

MichaelH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 20 October 2007 - 07:08 PM

Thank You for all your help, here's a virtual heineken.

I will do the scan as soon as I hook internet up to sick computer.

Do you need another HJT log, or was it looking clean?



~Mike~

#10 MichaelH

MichaelH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 21 October 2007 - 09:45 AM

F-secure found 11 problems and fixed them, I'm attaching the log from that as well as a new HJT, let me know if it looks good.
Looks like all the problems that F-secure found where in the system restore section and not active anyhow, I will create a new restore point and turn system restore back on.

Thanks again, couldn't do it without you.


F-secure log
F-Secure Online Scanner 3.1.5 - Scanning Report - Sunday, October 21, 2007 10:25:26Scanning
Report
Sunday, October 21, 2007 08:56:57 - 10:25:25
Computer name: DELL1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\



Result: 11 malware found
SpywareStormer (spyware)
System (Disinfected)
Trojan-Downloader.Win32.Agent.dve (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000079.EXE
(Renamed & Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000008.EXE
(Renamed & Submitted)
Trojan-Downloader.Win32.Agent.ehg (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000007.EXE
(Renamed & Submitted)
Trojan-Downloader.Win32.Delf.cpy (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000076.EXE
(Renamed & Submitted)
Trojan-Downloader.Win32.VB.bnq (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000078.EXE
(Renamed & Submitted)
Trojan.Win32.VB.bik (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000020.EXE
(Renamed & Submitted)
Vundo.gen41 (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000010.DLL
(Submitted)
Vundo.gen42 (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000026.DLL
(Submitted)
Vundo.gen45 (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000012.INI
(Submitted)
W32/TTC.DX.dropper (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000077.EXE
(Submitted)



Statistics
Scanned:
Files: 38969
System: 4079
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 6
Deleted: 0
None: 4
Submitted: 10
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT



Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-10-21
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Libra: 2.4.2, 2007-10-19
F-Secure Orion: 1.2.37, 2007-10-19
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT
MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR
BZ2 HQX
Use Advanced heuristics



Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the
material you make available may be published in the F-Secure World Wide Pages
or hard-copy publications. You will reach F-Secure public web site by clicking
on underlined links. While doing this, your access will be logged to our
private access statistics with your domain name.This information will not be
given to any third party. You agree not to take action against us in relation
to material that you submit. Unless you have clearly stated otherwise, by
submitting material you warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications without liability.

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:20 AM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\hjakThsscanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O24 - Desktop Component 0: (no name) - http://www.harvardsquarelibrary.org/unitar.../background.gif
O24 - Desktop Component 1: (no name) - http://http.earthcache.net/SSVC005186.oc.e...s/chudleigh.jpg
O24 - Desktop Component 2: (no name) - http://www.si.umich.edu/Space/browser/Space/jupi/jupiter.gif
O24 - Desktop Component 3: (no name) - http://www.physicsclassroom.com/images/banner_right.gif

--
End of file - 7006 bytes

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 October 2007 - 06:18 PM

Good observation about System Restore,I hope you enjoyed you Hieney,Im allergic myself,seems every time i drink Hieney,I break out in handcuffs! :thumbsup:


Lets see what another scanner finds...

Please run the Bit Defender Online Scan
http://www.bitdefender.com/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here


Please post an uninstall list,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.

Edited by Cretemonster, 21 October 2007 - 06:18 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users