Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Worm - Zlob?


  • This topic is locked This topic is locked
13 replies to this topic

#1 nukegrrl

nukegrrl

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 23 October 2007 - 06:44 PM

Hi!

Okay I think I was infected with Trojan.Zlob.N among possibly other viruses that created a pile of pop ups for fake virus scanning and adware/spyware programs.

At first I tried using Norton Antivirus, Spybot, and Adaware to remove the virus but was still having problems. On advice from another forum I removed those programs and downloaded PC-Cillin and ran it in Safe Mode. Success! It seems to have removed the virus (at least, I am not getting any more pop-ups, and subsequent scans are only picking up normal cookies from my internet travels).

Okay, so the problem is that I think the virus(es) made some sort of changes to the registry, wherein I cannot access "Set Program Access and Defaults" nor the Properites of "My Computer". I get an error message saying that access restrictions are in effect on this machine and to contact the administrator. I am on my home computer so I know that I am supposed to have access to these things (and indeed I did in the past).

I am running Windows XP, SP2 and normally use a firefox-type browser provided by my ISP.

The log generated by Hijack This is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:58 PM, on 23/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video Add-on\isfmntr.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Jennifer Hooper\Desktop\Spyware Scanning\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: IE Custom Tools - {062F3F8B-CB94-4D76-A98A-EF800A438F01} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O20 - Winlogon Notify: jkklm - C:\WINDOWS\system32\jkklm.dll (file missing)
O22 - SharedTaskScheduler: celtiberi - {7999c5e2-b500-4ba5-8e9a-99639eca65fc} - C:\WINDOWS\system32\mxhfjy.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 9108 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 October 2007 - 03:04 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum nukegrrl :thumbsup:
My name is Richie and i'll be helping you to fix your problems.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 nukegrrl

nukegrrl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 October 2007 - 10:59 AM

Thank you for responding!

ETA: I am now able to access the My Computer -Properties as well as Set Program Access and Defaults :thumbsup:


Here is the SDFix report file:


SDFix: Version 1.111

Run by Administrator on 24/10/2007 at 11:20 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\Downloaded Program Files\USYP_0001_N69M1703NetInstaller.exe - Deleted
C:\WINDOWS\Downloaded Program Files\USYP_0001_N73M0704NetInstaller.exe - Deleted
C:\WINDOWS\Downloaded Program Files\USYP_0001_N76M2004NetInstaller.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\FreshGames\\Cubis Gold\\CubisGold.exe"="C:\\Program Files\\FreshGames\\Cubis Gold\\CubisGold.exe:*:Disabled:Cubis Dx Version"
"C:\\NeverwinterNights\\NWN\\nwupdate.exe"="C:\\NeverwinterNights\\NWN\\nwupdate.exe:*:Enabled:NWN Update Program"
"C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"="C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE:*:Enabled:LiveUpdate - Norton AntiVirus"
"C:\\Program Files\\Yahoo! Games\\Cubis Gold 2\\cubis2.exe"="C:\\Program Files\\Yahoo! Games\\Cubis Gold 2\\cubis2.exe:*:Disabled:cubis2"
"C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"="C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe:*:Enabled:Dungeon Siege 2 Game Executable"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 4 May 2007 2,221,648 ...H. --- "C:\Program Files\Agatha Christie - Death on the Nile\DeathOnTheNile.exe"
Tue 12 Jun 2007 1,926,736 ...H. --- "C:\Program Files\Atlantis\atlantis.exe"
Mon 2 Jul 2007 3,142,984 ...H. --- "C:\Program Files\Azada\Azada.exe"
Mon 23 Jul 2007 2,016,584 ...H. --- "C:\Program Files\Dream Chronicles\dream.exe"
Mon 18 Jun 2007 3,343,952 ...H. --- "C:\Program Files\G.H.O.S.T. Hunters - The Haunting of Majesty Manor\GHOST Hunters.exe"
Fri 4 May 2007 1,486,848 ...H. --- "C:\Program Files\Magic Academy\Magic Academy.exe"
Sat 5 May 2007 15,384,576 ...H. --- "C:\Program Files\Mystery Case Files - Huntsville\Mystery Case Files - Huntsville.exe"
Fri 4 May 2007 16,076,800 ...H. --- "C:\Program Files\Mystery Case Files - Prime Suspects\Mystery Case Files - Prime Suspects.exe"
Sat 5 May 2007 16,474,112 ...H. --- "C:\Program Files\Mystery Case Files - Ravenhearst\Mystery Case Files - Ravenhearst.exe"
Thu 18 Oct 2007 1,561,928 ...H. --- "C:\Program Files\Pirateville\Pirateville.exe"
Thu 5 Jul 2007 3,712,328 ...H. --- "C:\Program Files\The Stone of Destiny\StoneOfDestiny.exe"
Thu 27 Apr 2006 741,747 ..SH. --- "C:\WINDOWS\SYSTEM32\mlkkj.tmp"
Sun 4 Jun 2006 1,039,524 ..SH. --- "C:\WINDOWS\SYSTEM32\mlkkj.bak1"
Sat 3 Jun 2006 1,039,573 ..SH. --- "C:\WINDOWS\SYSTEM32\mlkkj.bak2"
Mon 26 Jun 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT45.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Jennifer Hooper\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 7 Jun 2007 8 A..H. --- "C:\Documents and Settings\Jennifer Hooper\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 7 Jun 2007 8 A..H. --- "C:\Documents and Settings\Jennifer Hooper\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 7 Jun 2007 8 A..H. --- "C:\Documents and Settings\Jennifer Hooper\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kevin Langdon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kevin Langdon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kevin Langdon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kevin Langdon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

Here is the new Hijack This log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:44 AM, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jennifer Hooper\Desktop\Spyware Scanning\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: IE Custom Tools - {062F3F8B-CB94-4D76-A98A-EF800A438F01} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O20 - Winlogon Notify: jkklm - C:\WINDOWS\system32\jkklm.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intelฎ Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 8381 bytes

Edited by nukegrrl, 24 October 2007 - 11:33 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 October 2007 - 05:42 PM

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 nukegrrl

nukegrrl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 October 2007 - 07:16 PM

ComboFix log:

ComboFix 07-10-25.1 - Jennifer Hooper 2007-10-24 20:05:25.2 - NTFSx86
Running from: C:\Documents and Settings\Jennifer Hooper\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-24 11:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 11:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-22 14:10 138,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-22 14:10 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2007-10-22 14:10 52,368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2007-10-22 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-22 14:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-21 21:21 <DIR> d-------- C:\Documents and Settings\Jennifer Hooper\.housecall6.6
2007-10-21 19:00 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Yahoo!
2007-10-21 18:35 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Talkback
2007-10-21 17:53 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Sonic
2007-10-21 17:53 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Jasc Software Inc
2007-10-21 17:50 <DIR> d-------- C:\WINDOWS\pss
2007-10-21 12:05 <DIR> d-------- C:\Program Files\Video Add-on
2007-10-20 13:06 <DIR> d-------- C:\Program Files\Pirateville
2007-10-20 13:06 <DIR> d-------- C:\Documents and Settings\Jennifer Hooper\Application Data\Legends of pirates
2007-10-19 11:09 <DIR> d--h----- C:\CWDS2Temp
2007-10-10 03:46 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-02 16:50 <DIR> d-------- C:\Documents and Settings\Jennifer Hooper\Application Data\Canon
2007-10-02 16:25 <DIR> d-------- C:\Program Files\Common Files\Canon
2007-10-02 16:25 <DIR> d-------- C:\Program Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 17:46 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 17:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-22 17:44 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-21 16:36 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-21 16:36 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-21 16:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-07 00:48 --------- d-----w C:\Program Files\Ubisoft
2007-09-24 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-24 23:22 --------- d-----w C:\Program Files\Sierra
2007-09-23 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-09-23 21:07 --------- d-----w C:\Program Files\Kodak
2007-09-20 01:44 --------- d-----w C:\Documents and Settings\Kevin Langdon\Application Data\Leadertech
2007-09-18 04:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-18 04:29 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-18 04:29 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-18 04:29 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-18 04:29 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-27 17:13 --------- d-----w C:\Program Files\SilverLine
2007-08-22 12:55 96,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2006-06-04 05:49:59 1,039,524 -csh--w C:\WINDOWS\SYSTEM32\mlkkj.bak1
2006-06-03 05:49:35 1,039,573 -csh--w C:\WINDOWS\SYSTEM32\mlkkj.bak2
2006-06-05 03:13:14 1,039,001 -csh--w C:\WINDOWS\SYSTEM32\mlkkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]
2007-10-22 22:03 11264 --a------ C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{062F3F8B-CB94-4D76-A98A-EF800A438F01}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-21 12:05 77824]

[HKEY_CLASSES_ROOT\CLSID\{062F3F8B-CB94-4D76-A98A-EF800A438F01}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{062F3F8B-CB94-4D76-A98A-EF800A438F01}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-21 12:05 77824]

[HKEY_CLASSES_ROOT\CLSID\{062F3F8B-CB94-4D76-A98A-EF800A438F01}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 13:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-08 09:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 11:28]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-10-08 08:49]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-08-31 17:01]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-04-25 10:46]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-09-14 13:26]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-26 18:09:38]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 14:04:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklm]
C:\WINDOWS\system32\jkklm.dll

R1 SSHDRV65;SSHDRV65;\??\C:\WINDOWS\System32\drivers\SSHDRV65.sys
R1 SSHDRV77;SSHDRV77;\??\C:\WINDOWS\System32\drivers\SSHDRV77.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 20:09:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 20:10:23
C:\ComboFix2.txt ... 2007-10-24 11:46
.
--- E O F ---


Hijack This Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:06 PM, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jennifer Hooper\Desktop\Spyware Scanning\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: IE Custom Tools - {062F3F8B-CB94-4D76-A98A-EF800A438F01} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O20 - Winlogon Notify: jkklm - C:\WINDOWS\system32\jkklm.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 8380 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 October 2007 - 07:24 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\mlkkj.bak1
C:\WINDOWS\SYSTEM32\mlkkj.bak2
C:\WINDOWS\SYSTEM32\mlkkj.ini2
Folder::
C:\Program Files\Video Add-on
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{062F3F8B-CB94-4D76-A98A-EF800A438F01}"=-
[-HKEY_CLASSES_ROOT\CLSID\{062F3F8B-CB94-4D76-A98A-EF800A438F01}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{062F3F8B-CB94-4D76-A98A-EF800A438F01}"=-
[-HKEY_CLASSES_ROOT\CLSID\{062F3F8B-CB94-4D76-A98A-EF800A438F01}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklm]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 nukegrrl

nukegrrl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 October 2007 - 07:46 PM

ComboFix 07-10-25.1 - Jennifer Hooper 2007-10-24 20:32:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.151 [GMT -4:00]
Running from: C:\Documents and Settings\Jennifer Hooper\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jennifer Hooper\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\mlkkj.bak1
C:\WINDOWS\SYSTEM32\mlkkj.bak2
C:\WINDOWS\SYSTEM32\mlkkj.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Video Add-on
C:\Program Files\Video Add-on\ictmdl.dll
C:\Program Files\Video Add-on\isfmdl.dll
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\Program Files\Video Add-on\ot.ico
C:\Program Files\Video Add-on\ts.ico
C:\Program Files\Video Add-on\uninst.exe
C:\WINDOWS\SYSTEM32\mlkkj.bak1
C:\WINDOWS\SYSTEM32\mlkkj.bak2
C:\WINDOWS\SYSTEM32\mlkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-24 11:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 11:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-22 14:10 138,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-22 14:10 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2007-10-22 14:10 52,368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2007-10-22 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-22 14:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-21 21:21 <DIR> d-------- C:\Documents and Settings\Jennifer Hooper\.housecall6.6
2007-10-21 19:00 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Yahoo!
2007-10-21 18:35 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Talkback
2007-10-21 17:53 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Sonic
2007-10-21 17:53 <DIR> d-------- C:\Documents and Settings\Administrator.JENNIFER\Application Data\Jasc Software Inc
2007-10-21 17:50 <DIR> d-------- C:\WINDOWS\pss
2007-10-20 13:06 <DIR> d-------- C:\Program Files\Pirateville
2007-10-20 13:06 <DIR> d-------- C:\Documents and Settings\Jennifer Hooper\Application Data\Legends of pirates
2007-10-19 11:09 <DIR> d--h----- C:\CWDS2Temp
2007-10-10 03:46 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-02 16:50 <DIR> d-------- C:\Documents and Settings\Jennifer Hooper\Application Data\Canon
2007-10-02 16:25 <DIR> d-------- C:\Program Files\Common Files\Canon
2007-10-02 16:25 <DIR> d-------- C:\Program Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 17:46 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 17:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-22 17:44 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-21 16:36 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-21 16:36 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-21 16:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-07 00:48 --------- d-----w C:\Program Files\Ubisoft
2007-09-24 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-24 23:22 --------- d-----w C:\Program Files\Sierra
2007-09-23 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-09-23 21:07 --------- d-----w C:\Program Files\Kodak
2007-09-20 01:44 --------- d-----w C:\Documents and Settings\Kevin Langdon\Application Data\Leadertech
2007-09-18 04:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-18 04:29 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-18 04:29 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-18 04:29 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-18 04:29 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-27 17:13 --------- d-----w C:\Program Files\SilverLine
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 13:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-08 09:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 11:28]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-10-08 08:49]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-08-31 17:01]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-04-25 10:46]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-09-14 13:26]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-26 18:09:38]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 14:04:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

R1 SSHDRV65;SSHDRV65;\??\C:\WINDOWS\System32\drivers\SSHDRV65.sys
R1 SSHDRV77;SSHDRV77;\??\C:\WINDOWS\System32\drivers\SSHDRV77.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 20:39:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 20:41:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-24 20:10
C:\ComboFix3.txt ... 2007-10-24 11:46
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:30 PM, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Jennifer Hooper\Desktop\Spyware Scanning\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 8150 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 October 2007 - 08:03 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - SOFTWARE - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 nukegrrl

nukegrrl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 October 2007 - 09:43 PM

PC seems to be running/booting a bit faster, and as I mentioned in a post above, I can now access the settings that previously had been blocked (Set Program Access and Defaults, My Computer Properties).

Scan results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/24/2007 at 10:03 PM

Application Version : 3.9.1008

Core Rules Database Version : 3330
Trace Rules Database Version: 1331

Scan type : Complete Scan
Total Scan Time : 00:48:30

Memory items scanned : 466
Memory threats detected : 0
Registry items scanned : 6051
Registry threats detected : 115
File items scanned : 50527
File threats detected : 136

Adware.Tracking Cookie
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@paypal.112.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@adknowledge[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@70062990[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@trafficmp[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@robeez.122.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjlyuhczkko.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ad.iconadserver[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wfkiojcjmbo.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wfligmazedq.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@statse.webtrendslive[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjkoqhc5cko.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@homedepotca.122.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@stats.clicktracks[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.viruslocker[3].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@canadapost.112.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wgmyupd5idq.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjmiciazmdq.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@msnaccountservices.112.2o7[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wfl4kgdpkkq.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjkyaldpedp.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.ez-tracks[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.pcantiviruspro[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wblycid5kgo.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjlyukdzgbp.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@bizrate[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@clickaider[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@adtech[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@calc.avsystemcare[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ehg-bestbuy.hitbox[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ez-tracks[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@tremor.adbureau[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@reduxads.valuead[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@pointandshop.112.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@stat.onestat[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@gomyhit[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@overture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@avsystemcare[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ehg-artbeads.hitbox[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@57386690[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjloencpsfp.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.sexstoriespost[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wckiqjczifp.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ads.tnt[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.pornfreaks[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@try.screensavers[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@491[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@adultadworld[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@view-9385[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@provolabs.112.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wakoskazsho.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.freepornsite[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@89901003[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wblockazcgo.stats.esomniture[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@cgi-bin[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@sixapart.adbureau[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@trinitymirror.112.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjlyeldzseo.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjnysmazscp.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.xxxkey[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@charmingshoppes.112.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjl4qhdjebq.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@xiti[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wgmyencpgbp.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@dir-porn[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@audit.median[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@partners.webmasterplan[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wgkikgcpgbq.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@cgi-bin[6].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@marketlive.122.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@humornsex[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@sexmovies[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@kinxxx[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wfmiwpajifo.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@shopping.112.2o7[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@tracking.foxnews[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@e-2dj6wjmiglczogo.stats.esomniture[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@freesexpicsandchat[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@sexstoriespost[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@cgi-bin[3].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@pornotube[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ads.adgoto[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@view-5592[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@partypoker[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ad1.clickhype[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@adbrite[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@adinterax[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ads.ak.facebook[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@ads.cnn[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@dump.pornfreaks[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@freepornsite[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@image.masterstats[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@indextools[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@interclick[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@mormonsexposed[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@richmedia.yahoo[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@sales.liveperson[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@saynotocrack[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@stat.dealtime[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@stats.sellmosoft[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@stats4.clicktracks[2].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@toplist[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.analsexvideos[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@www.camelmedia[1].txt
C:\Documents and Settings\Jennifer Hooper\Cookies\jennifer hooper@yadro[1].txt
C:\Documents and Settings\Kevin Langdon\Cookies\kevin langdon@2o7[2].txt
C:\Documents and Settings\Kevin Langdon\Cookies\kevin langdon@adinterax[1].txt
C:\Documents and Settings\Kevin Langdon\Cookies\kevin langdon@ads.cnn[1].txt
C:\Documents and Settings\Kevin Langdon\Cookies\kevin langdon@overture[1].txt
C:\Documents and Settings\Kevin Langdon\Cookies\kevin langdon@primedia.us.intellitxt[1].txt
C:\Documents and Settings\Kevin Langdon\Cookies\kevin langdon@spamblockerutility[2].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Adware.MyWay
C:\Program Files\MyWay\SrchAstt
C:\Program Files\MyWay

Trojan.SysProtect
HKU\S-1-5-21-3443434921-1572373378-2956556151-1008\Software\SysProtect
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000\LogConf
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1253\A0125417.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1253\A0125418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1253\A0125419.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\USYP_0001_N69M1703NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\USYP_0001_N76M2004NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\USYP_0001_N76M2004NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\USYP_0001_N76M2004NETINSTALLER.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SSCAN.SYS

Malware.AntiVirGear
HKCR\TypeLib\{DE6AE29A-EB7D-4656-9418-26D5FCC9ADF5}
HKCR\TypeLib\{DE6AE29A-EB7D-4656-9418-26D5FCC9ADF5}\1.0
HKCR\TypeLib\{DE6AE29A-EB7D-4656-9418-26D5FCC9ADF5}\1.0\0
HKCR\TypeLib\{DE6AE29A-EB7D-4656-9418-26D5FCC9ADF5}\1.0\0\win32
HKCR\TypeLib\{DE6AE29A-EB7D-4656-9418-26D5FCC9ADF5}\1.0\FLAGS
HKCR\TypeLib\{DE6AE29A-EB7D-4656-9418-26D5FCC9ADF5}\1.0\HELPDIR
HKCR\Interface\{0A0FC1A4-41D4-4793-9AC5-0B55CDC95AE9}
HKCR\Interface\{0A0FC1A4-41D4-4793-9AC5-0B55CDC95AE9}\ProxyStubClsid
HKCR\Interface\{0A0FC1A4-41D4-4793-9AC5-0B55CDC95AE9}\ProxyStubClsid32
HKCR\Interface\{0A0FC1A4-41D4-4793-9AC5-0B55CDC95AE9}\TypeLib
HKCR\Interface\{0A0FC1A4-41D4-4793-9AC5-0B55CDC95AE9}\TypeLib#Version
HKCR\Interface\{14F47CA3-2291-4B3E-9ED4-8C7E6AE80851}
HKCR\Interface\{14F47CA3-2291-4B3E-9ED4-8C7E6AE80851}\ProxyStubClsid
HKCR\Interface\{14F47CA3-2291-4B3E-9ED4-8C7E6AE80851}\ProxyStubClsid32
HKCR\Interface\{14F47CA3-2291-4B3E-9ED4-8C7E6AE80851}\TypeLib
HKCR\Interface\{14F47CA3-2291-4B3E-9ED4-8C7E6AE80851}\TypeLib#Version
HKCR\Interface\{2447284F-3590-4E8C-A869-049BD87CAD07}
HKCR\Interface\{2447284F-3590-4E8C-A869-049BD87CAD07}\ProxyStubClsid
HKCR\Interface\{2447284F-3590-4E8C-A869-049BD87CAD07}\ProxyStubClsid32
HKCR\Interface\{2447284F-3590-4E8C-A869-049BD87CAD07}\TypeLib
HKCR\Interface\{2447284F-3590-4E8C-A869-049BD87CAD07}\TypeLib#Version
HKCR\Interface\{38EEEF46-CA24-4ACA-A90D-540978DF7252}
HKCR\Interface\{38EEEF46-CA24-4ACA-A90D-540978DF7252}\ProxyStubClsid
HKCR\Interface\{38EEEF46-CA24-4ACA-A90D-540978DF7252}\ProxyStubClsid32
HKCR\Interface\{38EEEF46-CA24-4ACA-A90D-540978DF7252}\TypeLib
HKCR\Interface\{38EEEF46-CA24-4ACA-A90D-540978DF7252}\TypeLib#Version
HKCR\Interface\{3D5E5AE1-5DED-4520-BDC2-B9292EA708CA}
HKCR\Interface\{3D5E5AE1-5DED-4520-BDC2-B9292EA708CA}\ProxyStubClsid
HKCR\Interface\{3D5E5AE1-5DED-4520-BDC2-B9292EA708CA}\ProxyStubClsid32
HKCR\Interface\{3D5E5AE1-5DED-4520-BDC2-B9292EA708CA}\TypeLib
HKCR\Interface\{3D5E5AE1-5DED-4520-BDC2-B9292EA708CA}\TypeLib#Version
HKCR\Interface\{409A05EF-1B48-4198-B6BF-993B8B52790C}
HKCR\Interface\{409A05EF-1B48-4198-B6BF-993B8B52790C}\ProxyStubClsid
HKCR\Interface\{409A05EF-1B48-4198-B6BF-993B8B52790C}\ProxyStubClsid32
HKCR\Interface\{409A05EF-1B48-4198-B6BF-993B8B52790C}\TypeLib
HKCR\Interface\{409A05EF-1B48-4198-B6BF-993B8B52790C}\TypeLib#Version
HKCR\Interface\{47A93011-1004-440C-9960-BD3B0348A7C2}
HKCR\Interface\{47A93011-1004-440C-9960-BD3B0348A7C2}\ProxyStubClsid
HKCR\Interface\{47A93011-1004-440C-9960-BD3B0348A7C2}\ProxyStubClsid32
HKCR\Interface\{47A93011-1004-440C-9960-BD3B0348A7C2}\TypeLib
HKCR\Interface\{47A93011-1004-440C-9960-BD3B0348A7C2}\TypeLib#Version
HKCR\Interface\{50B388D5-4A80-4191-8BCC-5DD031D7F3EE}
HKCR\Interface\{50B388D5-4A80-4191-8BCC-5DD031D7F3EE}\ProxyStubClsid
HKCR\Interface\{50B388D5-4A80-4191-8BCC-5DD031D7F3EE}\ProxyStubClsid32
HKCR\Interface\{50B388D5-4A80-4191-8BCC-5DD031D7F3EE}\TypeLib
HKCR\Interface\{50B388D5-4A80-4191-8BCC-5DD031D7F3EE}\TypeLib#Version
HKCR\Interface\{58A1ACE6-0DBA-45D2-8154-E8253A7B87BB}
HKCR\Interface\{58A1ACE6-0DBA-45D2-8154-E8253A7B87BB}\ProxyStubClsid
HKCR\Interface\{58A1ACE6-0DBA-45D2-8154-E8253A7B87BB}\ProxyStubClsid32
HKCR\Interface\{58A1ACE6-0DBA-45D2-8154-E8253A7B87BB}\TypeLib
HKCR\Interface\{58A1ACE6-0DBA-45D2-8154-E8253A7B87BB}\TypeLib#Version
HKCR\Interface\{73D25394-992F-43D1-BF92-48494CC0D1AE}
HKCR\Interface\{73D25394-992F-43D1-BF92-48494CC0D1AE}\ProxyStubClsid
HKCR\Interface\{73D25394-992F-43D1-BF92-48494CC0D1AE}\ProxyStubClsid32
HKCR\Interface\{73D25394-992F-43D1-BF92-48494CC0D1AE}\TypeLib
HKCR\Interface\{73D25394-992F-43D1-BF92-48494CC0D1AE}\TypeLib#Version
HKCR\Interface\{7D2A83A4-0687-4704-937E-A29045826F77}
HKCR\Interface\{7D2A83A4-0687-4704-937E-A29045826F77}\ProxyStubClsid
HKCR\Interface\{7D2A83A4-0687-4704-937E-A29045826F77}\ProxyStubClsid32
HKCR\Interface\{7D2A83A4-0687-4704-937E-A29045826F77}\TypeLib
HKCR\Interface\{7D2A83A4-0687-4704-937E-A29045826F77}\TypeLib#Version
HKCR\Interface\{A7FE54B2-B167-4017-BCCC-CF73B2F678E3}
HKCR\Interface\{A7FE54B2-B167-4017-BCCC-CF73B2F678E3}\ProxyStubClsid
HKCR\Interface\{A7FE54B2-B167-4017-BCCC-CF73B2F678E3}\ProxyStubClsid32
HKCR\Interface\{A7FE54B2-B167-4017-BCCC-CF73B2F678E3}\TypeLib
HKCR\Interface\{A7FE54B2-B167-4017-BCCC-CF73B2F678E3}\TypeLib#Version
HKCR\Interface\{C183B073-2D7F-45BC-8967-80147CECEE45}
HKCR\Interface\{C183B073-2D7F-45BC-8967-80147CECEE45}\ProxyStubClsid
HKCR\Interface\{C183B073-2D7F-45BC-8967-80147CECEE45}\ProxyStubClsid32
HKCR\Interface\{C183B073-2D7F-45BC-8967-80147CECEE45}\TypeLib
HKCR\Interface\{C183B073-2D7F-45BC-8967-80147CECEE45}\TypeLib#Version
HKCR\Interface\{F6FDBF9A-19A7-4F0A-9F46-6F015A067B44}
HKCR\Interface\{F6FDBF9A-19A7-4F0A-9F46-6F015A067B44}\ProxyStubClsid
HKCR\Interface\{F6FDBF9A-19A7-4F0A-9F46-6F015A067B44}\ProxyStubClsid32
HKCR\Interface\{F6FDBF9A-19A7-4F0A-9F46-6F015A067B44}\TypeLib
HKCR\Interface\{F6FDBF9A-19A7-4F0A-9F46-6F015A067B44}\TypeLib#Version
HKCR\Interface\{F90A7969-20A0-4257-B39D-9C73D64CE3B0}
HKCR\Interface\{F90A7969-20A0-4257-B39D-9C73D64CE3B0}\ProxyStubClsid
HKCR\Interface\{F90A7969-20A0-4257-B39D-9C73D64CE3B0}\ProxyStubClsid32
HKCR\Interface\{F90A7969-20A0-4257-B39D-9C73D64CE3B0}\TypeLib
HKCR\Interface\{F90A7969-20A0-4257-B39D-9C73D64CE3B0}\TypeLib#Version
HKCR\Interface\{FA38F299-57F8-4FEB-9096-715460AE943C}
HKCR\Interface\{FA38F299-57F8-4FEB-9096-715460AE943C}\ProxyStubClsid
HKCR\Interface\{FA38F299-57F8-4FEB-9096-715460AE943C}\ProxyStubClsid32
HKCR\Interface\{FA38F299-57F8-4FEB-9096-715460AE943C}\TypeLib
HKCR\Interface\{FA38F299-57F8-4FEB-9096-715460AE943C}\TypeLib#Version
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1247\A0124218.EXE

Trojan.Media-Codec/V4
HKU\S-1-5-21-3443434921-1572373378-2956556151-1008\Software\Online Add-on
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Add-on
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Add-on#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Add-on#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Add-on#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Add-on#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Add-on#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Add-on#Publisher
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\VIDEO ADD-ON\ICTMDL.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\VIDEO ADD-ON\ISFMDL.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1247\A0124209.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1248\A0124503.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0124550.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0124584.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125194.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125239.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1251\A0125309.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1252\A0125363.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1256\A0125535.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1256\A0125536.DLL

Trojan.Smitfraud Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1247\A0124230.DLL


Hijack This report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:06 PM, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Jennifer Hooper\Desktop\Spyware Scanning\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7919 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 25 October 2007 - 04:09 AM

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#11 nukegrrl

nukegrrl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 25 October 2007 - 11:29 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 25, 2007 12:28:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/10/2007
Kaspersky Anti-Virus database records: 418802
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 139708
Number of viruses found: 16
Number of infected objects: 49
Number of suspicious objects: 1
Duration of the scan process: 01:13:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\Local Settings\Temp\~DF6067.tmp Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\ocanada.exe/WISE0020.BIN Infected: Trojan-Dropper.Win32.Small.jh skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\ocanada.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe/WISE0015.BIN/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe/WISE0015.BIN/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe/WISE0015.BIN/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe/WISE0015.BIN/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe/WISE0015.BIN/data0003 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe/WISE0015.BIN/data0004 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe/WISE0015.BIN Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe WiseSFX: infected - 7 skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\White_Guardian-90675theme.exe/WISE0023.BIN Infected: Trojan-Dropper.Win32.Small.ff skipped
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\White_Guardian-90675theme.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Jennifer Hooper\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jennifer Hooper\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Desktop Wallpaper\install.exe/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Program Files\Desktop Wallpaper\install.exe/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Program Files\Desktop Wallpaper\install.exe/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Program Files\Desktop Wallpaper\install.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Program Files\Desktop Wallpaper\install.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Program Files\Desktop Wallpaper\install.exe/data0004 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\Program Files\Desktop Wallpaper\install.exe NSIS: infected - 6 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E1.tmp/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E1.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E1.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Video Add-on\isfmm.exe.vir Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\qoobox\Quarantine\C\Program Files\Video Add-on\isfmntr.exe.vir Infected: Trojan-Downloader.Win32.Zlob.drm skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1247\A0124210.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1248\A0124504.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0124551.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0124585.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125022.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125024.exe Infected: Trojan.Win32.StartPage.ame skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125025.exe/MyWayHomePageChangerInbuilt.exe Infected: Trojan.Win32.StartPage.ags skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125025.exe StarDust: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125025.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125027.exe Infected: Trojan-Downloader.Win32.Zlob.drj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125028.exe Infected: Trojan-Downloader.Win32.Zlob.drn skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125029.exe Infected: Trojan-Downloader.Win32.Zlob.dri skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125195.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1250\A0125240.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1251\A0125310.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1252\A0125354.exe/iedriver.exe Infected: Trojan-Clicker.Win32.Iedriver.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1252\A0125354.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1252\A0125354.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1252\A0125364.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1256\A0125537.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1256\A0125538.exe Infected: Trojan-Downloader.Win32.Zlob.drm skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1257\change.log Object is locked skipped
C:\updaterInstall_104.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\updaterInstall_104.exe/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\updaterInstall_104.exe/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\updaterInstall_104.exe NSIS: infected - 3 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20071021-123010.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 25 October 2007 - 02:25 PM

Delete everything inside this Quarantine folder:
C:\Program Files\Trend Micro\Internet Security\Quarantine

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\ocanada.exe
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\wallpaper.exe
C:\Documents and Settings\Jennifer Hooper\My Documents\Wallpapers and Themes\White_Guardian-90675theme.exe
C:\Program Files\Desktop Wallpaper\install.exe
C:\qoobox
C:\updaterInstall_104.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20071021-123010.backup

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Your log is clean :thumbsup:
If all's ok,please do the following:


Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found in the links below,to help you prevent any possible future infections:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#13 nukegrrl

nukegrrl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 25 October 2007 - 03:24 PM

Thank you for all of your help!! :blink:

I was unable to copy the results for the Move It program, as it prompted me to restart in order to move the files. I didn't realize that I should have copied the results before restarting. Unless there is a way to retrieve them?

Otherwise, everything seems fine and I followed the rest of your instructions. PC seems to be running great!

Again, I can't thank you enough. :thumbsup:

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 25 October 2007 - 05:21 PM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users