Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seriously Infected With Spy And Malware


  • Please log in to reply
20 replies to this topic

#1 surfnut

surfnut

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 20 November 2007 - 07:11 PM

I ran VundoFix, VirtumundoBeGone, Stinger, AVG, Adaware and a few more scans. Went through all steps to post the HJThis log and am still having the problem with popups. Now it is just a blank pop up window, if I let it sit long enough on the internet more windows will open. The computer is also running very slow. While performing the scan I found a lot of malware and spyware. I am not sure at this point what has been cleaned and what has not. Please Help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:36 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195595794865
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prokykofs.html

--
End of file - 6225 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 27 November 2007 - 12:19 PM

surfnut

You may still have some stuff in hiding

Open the C:\Program Files\Trend Micro\HijackThis folder. Locate the file HijackThis.exe. Rt click that file and Select Rename. Rename it H.exe.

Then rerun H.exe (Formerly Hijackthis.exe) and post a fresh log.
Posted Image
Microsoft MVP - Windows Security

#3 surfnut

surfnut
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 28 November 2007 - 10:14 AM

Thank you for replying. Here is the new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:29 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\H.exe
C:\WINDOWS\eHome\ehmsas.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1088EC51-7B46-4CA2-8791-8CD62C1FD0A0} - (no file)
O2 - BHO: (no name) - {4F88DF1A-810F-4D80-A9DA-8A7B15CFE19D} - (no file)
O2 - BHO: (no name) - {6E126494-6A9E-4F8F-9F25-B23C710D304F} - C:\WINDOWS\system32\vturs.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195595794865
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prokykofs.html

--
End of file - 7713 bytes

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 28 November 2007 - 11:01 AM

surfnut

Do you still have Vundofix?

We are going to run Vundofix again, but alter the instructions slightly
Run VundoFix again
  • At the Main window Rt Click in the Open Box and Select Add Files
  • A second window will open
  • Copy and paste the following into the blank boxes, one file path in each blank box.
    NOTE: There are 6 blank boxes. If there are more than 6 files to load. Then load 6
    Select Close window, then
    At the Main window Rt Click in the Open Box and Select Add Files Again
    • C:\WINDOWS\system32\vturs.dll
      C:\WINDOWS\system32\srutv.*
    Select Add Files ->> Repeat untill they are all loaded Then Close Window
  • Click the Remove Vundo button. Do not click the Scan for Vundo Button
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot
Posted Image
Microsoft MVP - Windows Security

#5 surfnut

surfnut
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 28 November 2007 - 02:52 PM

Was it just the two paths that you listed?

Here are the new logs.

Vundo Fix log:

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:33:56 PM 11/17/2007

Listing files found while scanning....

C:\windows\system32\awtqn.dll
C:\windows\system32\bdexelaw.dll
C:\windows\system32\dbnnyyve.exe
C:\windows\system32\ddwlagsj.dll
C:\windows\system32\dtvvypxp.dll
C:\windows\system32\fmynfspp.dll
C:\windows\system32\frgohckb.dll
C:\windows\system32\hkoxukrw.dll
C:\windows\system32\ihejabia.dll
C:\windows\system32\iotprnvl.dll
C:\windows\system32\itabiecx.ini
C:\windows\system32\jgyvmfck.ini
C:\windows\system32\kcfmvygj.dll
C:\windows\system32\kopuvqnl.dll
C:\windows\system32\kxhsahwn.exe
C:\windows\system32\kxxnqlpl.ini
C:\windows\system32\leuldrpu.dll
C:\windows\system32\lplqnxxk.dll
C:\windows\system32\lrmbltas.ini
C:\windows\system32\nqtss.ini
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\pnxjqjlp.dll
C:\windows\system32\ptprdiys.exe
C:\windows\system32\qgsetgys.dll
C:\windows\system32\ruskafej.exe
C:\windows\system32\satlbmrl.dll
C:\windows\system32\sstqn.dll
C:\windows\system32\tktjokta.exe
C:\windows\system32\ulgrcycv.dll
C:\windows\system32\uprdluel.ini
C:\windows\system32\urssqno.dll
C:\windows\system32\wufybaaa.dll
C:\windows\system32\xceibati.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtqn.dll
C:\windows\system32\awtqn.dll Could not be deleted.

Attempting to delete C:\windows\system32\bdexelaw.dll
C:\windows\system32\bdexelaw.dll Has been deleted!

Attempting to delete C:\windows\system32\dbnnyyve.exe
C:\windows\system32\dbnnyyve.exe Has been deleted!

Attempting to delete C:\windows\system32\ddwlagsj.dll
C:\windows\system32\ddwlagsj.dll Has been deleted!

Attempting to delete C:\windows\system32\dtvvypxp.dll
C:\windows\system32\dtvvypxp.dll Has been deleted!

Attempting to delete C:\windows\system32\fmynfspp.dll
C:\windows\system32\fmynfspp.dll Has been deleted!

Attempting to delete C:\windows\system32\frgohckb.dll
C:\windows\system32\frgohckb.dll Has been deleted!

Attempting to delete C:\windows\system32\hkoxukrw.dll
C:\windows\system32\hkoxukrw.dll Has been deleted!

Attempting to delete C:\windows\system32\ihejabia.dll
C:\windows\system32\ihejabia.dll Has been deleted!

Attempting to delete C:\windows\system32\iotprnvl.dll
C:\windows\system32\iotprnvl.dll Has been deleted!

Attempting to delete C:\windows\system32\itabiecx.ini
C:\windows\system32\itabiecx.ini Has been deleted!

Attempting to delete C:\windows\system32\jgyvmfck.ini
C:\windows\system32\jgyvmfck.ini Has been deleted!

Attempting to delete C:\windows\system32\kcfmvygj.dll
C:\windows\system32\kcfmvygj.dll Has been deleted!

Attempting to delete C:\windows\system32\kopuvqnl.dll
C:\windows\system32\kopuvqnl.dll Has been deleted!

Attempting to delete C:\windows\system32\kxhsahwn.exe
C:\windows\system32\kxhsahwn.exe Has been deleted!

Attempting to delete C:\windows\system32\kxxnqlpl.ini
C:\windows\system32\kxxnqlpl.ini Has been deleted!

Attempting to delete C:\windows\system32\leuldrpu.dll
C:\windows\system32\leuldrpu.dll Has been deleted!

Attempting to delete C:\windows\system32\lplqnxxk.dll
C:\windows\system32\lplqnxxk.dll Has been deleted!

Attempting to delete C:\windows\system32\lrmbltas.ini
C:\windows\system32\lrmbltas.ini Has been deleted!

Attempting to delete C:\windows\system32\nqtss.ini
C:\windows\system32\nqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pnxjqjlp.dll
C:\WINDOWS\system32\pnxjqjlp.dll Could not be deleted.

Attempting to delete C:\windows\system32\ptprdiys.exe
C:\windows\system32\ptprdiys.exe Has been deleted!

Attempting to delete C:\windows\system32\qgsetgys.dll
C:\windows\system32\qgsetgys.dll Has been deleted!

Attempting to delete C:\windows\system32\ruskafej.exe
C:\windows\system32\ruskafej.exe Has been deleted!

Attempting to delete C:\windows\system32\satlbmrl.dll
C:\windows\system32\satlbmrl.dll Has been deleted!

Attempting to delete C:\windows\system32\sstqn.dll
C:\windows\system32\sstqn.dll Has been deleted!

Attempting to delete C:\windows\system32\tktjokta.exe
C:\windows\system32\tktjokta.exe Has been deleted!

Attempting to delete C:\windows\system32\ulgrcycv.dll
C:\windows\system32\ulgrcycv.dll Has been deleted!

Attempting to delete C:\windows\system32\uprdluel.ini
C:\windows\system32\uprdluel.ini Has been deleted!

Attempting to delete C:\windows\system32\urssqno.dll
C:\windows\system32\urssqno.dll Has been deleted!

Attempting to delete C:\windows\system32\wufybaaa.dll
C:\windows\system32\wufybaaa.dll Has been deleted!

Attempting to delete C:\windows\system32\xceibati.dll
C:\windows\system32\xceibati.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\awtqn.dll
C:\windows\system32\awtqn.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pnxjqjlp.dll
C:\WINDOWS\system32\pnxjqjlp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:47:21 PM 11/17/2007

Listing files found while scanning....


VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:44:53 PM 11/17/2007

Listing files found while scanning....

C:\windows\system32\fpflmysb.dll

Beginning removal...

Attempting to delete C:\windows\system32\fpflmysb.dll
C:\windows\system32\fpflmysb.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:50:05 PM 11/17/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:58:40 PM 11/18/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:00:50 PM 11/18/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:57:59 AM 11/23/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.dll Has been deleted!

Performing Repairs to the registry.
Done!



HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:18 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\H.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1088EC51-7B46-4CA2-8791-8CD62C1FD0A0} - (no file)
O2 - BHO: (no name) - {4F88DF1A-810F-4D80-A9DA-8A7B15CFE19D} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {E747B9F4-719F-41B9-A1DE-8548E6163067} - C:\WINDOWS\system32\vturs.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195595794865
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prokykofs.html

--
End of file - 7760 bytes


Thanks

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 28 November 2007 - 04:05 PM

surfnut

You did it right.

1. Rerun Hijackthis (scan only) and place checks beside the following entriesO2 - BHO: (no name) - {1088EC51-7B46-4CA2-8791-8CD62C1FD0A0} - (no file)
O2 - BHO: (no name) - {4F88DF1A-810F-4D80-A9DA-8A7B15CFE19D} - (no file)
O2 - BHO: (no name) - {E747B9F4-719F-41B9-A1DE-8548E6163067} - C:\WINDOWS\system32\vturs.dll (file missing)

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

And in your Reply give me an update on how your PC is running now
Posted Image
Microsoft MVP - Windows Security

#7 surfnut

surfnut
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 29 November 2007 - 08:41 AM

I did as you said and it cleaned up the computer until I rebooted. The computer itself is running okay, it is a little slow on the boot up. The pop ups returned as soon as I rebooted, the only difference now is that they seem to be the same pop ups. Buzznet.com and multi-pops.com.

Here is the new hijackthis log. I ran it after rebooting a few times.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:00 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\H.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195595794865
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prokykofs.html

--
End of file - 7503 bytes


Thank you again for your help.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 29 November 2007 - 11:33 AM

surfnut

Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan

==========

Note: For IE7 uers. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.
Posted Image
Microsoft MVP - Windows Security

#9 surfnut

surfnut
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 29 November 2007 - 07:18 PM

Here are the results of the Kaspersky scan.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 29, 2007 7:16:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 468571
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 47562
Number of viruses found: 4
Number of infected objects: 5
Number of suspicious objects: 2
Duration of the scan process: 01:29:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{491496A7-B033-460C-8862-994DE9DDEEB1}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{CE5169BA-65B2-4084-B7DC-35B7E07AFEFD}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eadf3f6e7aeddc2c22f533683696d9bd_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1549OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Joy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Joy\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Joy\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Joy\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Joy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Joy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Joy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joy\Local Settings\History\History.IE5\MSHist012007112920071130\index.dat Object is locked skipped
C:\Documents and Settings\Joy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Joy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Joy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\b111.exe Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\WINDOWS\b147.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel® 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2BA85D54-224C-407A-A6EE-251BBDAA629A}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{27B36873-6572-442B-AD9C-8F7634D242E8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_EwV87Ij9dXPrMSu Object is locked skipped
C:\WINDOWS\Temp\mcmsc_igTih0E4CbaEbge Object is locked skipped
C:\WINDOWS\Temp\mcmsc_OHlJrQo79GI61pU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Rs84ybHeuh6cx4S Object is locked skipped
C:\WINDOWS\Temp\mcmsc_TooNO8eJZxspleG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 30 November 2007 - 08:26 AM

surfnut

1. Please download the Killbox.1)Save it to the desktop
2) Rt Click->>Extract all->.Extract it to your Desktop
3) Double Click Killbox.exe to run it
4)Select "Delete on Reboot", and then select "All files".
5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\b147.exe
C:\WINDOWS\b111.exe
C:\Program Files\Windows Media Player\prokykofs.html

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.
[/list]2. Rerun KillboxAt the main window Select Tools ->> Delete Temp Files
At the next window uncheck XP Prefetch
Leave the other boxes checked
Select "Delete Selected Temp Files"
Allow the tool to run. When it is finished (You will know that it is finished because the checks will disappear from the location boxes)
Select "Exit"
Then Select "Exit" again to close Killbox
3. In the windows control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start ->> run ->> type in cmd and hit OK
type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type exit hit enter

Reboot your PC ->> Rerun Hijackthis and post a fresh Hiajckthis log.

And in your reply give me an update on how the P is running now
Posted Image
Microsoft MVP - Windows Security

#11 surfnut

surfnut
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 30 November 2007 - 08:55 PM

The computer seems to be running much better now. I am no longer receiving popups while on the internet. I have rebooted several times and surfed around the web a little and don't seem to be having any difficulties. The only thing is I am now receiving a message from mcAfee, which I have attached as a JPEG. I was wondering if you knew anything about it. It is a buffer overflow message about explorer.exe. I have the ability to trust in the future, but I am not sure if I should, so I continue to just close the alert. It comes up every time I start Windows. Any help on that would be great.

Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:46 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\H.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195595794865
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prokykofs.html

--
End of file - 7611 bytes


Thanks Again!!!!!! :thumbsup:

Attached Files



#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 02 December 2007 - 02:53 PM

surfnut

Buffer overflow vulnerablitites are an old exploit in unpatched versions of windows. Without something more specific I can't explain the McAfee warning. Expecially when you are not on the Internet. It may be nothing, it may be something that needs to be allowed one time since the clean up.

Run a full system scan with Mcafee and asee if it turns up anything, at least we may be able to see what it is seeing.
Posted Image
Microsoft MVP - Windows Security

#13 surfnut

surfnut
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 04 December 2007 - 02:46 PM

The popups have returned. I am not receiving the the buffer overflow alert as of right now. I did do the mcafee scan
and it found one file.
PrcViewer

Other then the popups the computer is running much better. Here is also another HiJackthis log.
Thank you again for all of the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:56 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\H.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195595794865
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\prokykofs.html

--
End of file - 7610 bytes

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 05 December 2007 - 08:54 AM

surfnut

O.k. let's take another look

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#15 surfnut

surfnut
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 06 December 2007 - 07:33 AM

Here is the ComboFix Log.
The popups don't seem to be constant anymore. One time I will get them and some times I won't. Like right now I went on the internet to post and did not get any pop ups. I rebooted the computer after the combofix, because it seemed to have hung after it created the log.
Thanks.

ComboFix 07-12-05.2 - Joy 2007-12-05 20:33:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.148 [GMT -5:00]
Running from: C:\Documents and Settings\Joy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Amanda\Application Data\FNTS~1
C:\Documents and Settings\Amanda\Application Data\FunWebProducts
C:\Documents and Settings\Amanda\Application Data\SSEMBL~1
C:\Documents and Settings\Amanda\Application Data\WinTouch
C:\Documents and Settings\Amanda\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Amanda\My Documents\MCROSO~1
C:\Documents and Settings\Amanda\My Documents\MCROSO~1\M?crosoft\
C:\Documents and Settings\Amanda\My Documents\WNSXS~1
C:\Documents and Settings\Amanda\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Amanda\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Amanda\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\ystem~1
C:\Program Files\curity~1
C:\Program Files\poolsv
C:\Program Files\Temporary
C:\Program Files\Windows Media Player\prokykofs.html
C:\temp\tn3
C:\WINDOWS\b111.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\F4
C:\WINDOWS\system32\F9
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\win

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-11-29 17:22 . 2007-11-29 17:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-29 17:22 . 2007-11-29 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-24 09:48 . 2007-11-24 09:48 148 --a------ C:\Documents and Settings\Joy\Application Data\wklnhst.dat
2007-11-24 09:36 . 2007-11-24 09:36 <DIR> d-------- C:\Documents and Settings\Joy\Application Data\AdobeUM
2007-11-24 09:12 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-24 09:12 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-24 09:12 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-24 09:12 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-24 09:12 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-24 09:12 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-24 09:11 . 2007-11-24 09:11 <DIR> d-------- C:\mcafee_mcpr
2007-11-24 09:10 . 2007-11-24 09:11 <DIR> d-------- C:\Program Files\McAfee.com
2007-11-24 09:10 . 2007-11-24 20:35 <DIR> d-------- C:\Program Files\McAfee
2007-11-24 09:10 . 2007-11-24 09:12 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-24 09:05 . 2007-11-24 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-23 08:11 . 2007-11-23 08:11 2,760 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-23 08:10 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-23 08:10 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-23 08:10 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-23 08:10 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-21 04:00 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-21 04:00 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-20 18:27 . 2005-10-14 14:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-11-20 17:44 . 2007-11-20 17:44 <DIR> d-------- C:\Program Files\MSBuild
2007-11-20 17:40 . 2007-11-20 18:40 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-20 17:39 . 2007-11-20 17:39 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-20 17:38 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-20 17:37 . 2007-11-20 17:37 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-20 17:37 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-11-20 17:37 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-20 17:37 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-20 17:34 . 2007-11-20 17:35 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-20 17:32 . 2007-11-20 18:28 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-20 17:32 . 2007-11-20 17:33 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-20 17:06 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-11-20 17:06 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-11-20 17:06 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-11-20 16:54 . 2007-11-20 16:56 <DIR> d-------- C:\SpyWare Removal Tools
2007-11-20 16:12 . 2007-11-20 16:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-20 16:12 . 2007-11-20 16:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-20 07:28 . 2007-11-20 07:53 <DIR> d-------- C:\Documents and Settings\Joy\.housecall6.6
2007-11-19 21:55 . 2007-11-20 12:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-19 08:06 . 2007-11-19 21:34 401 --a------ C:\WINDOWS\wininit.ini
2007-11-19 07:38 . 2007-11-27 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 04:36 . 2007-11-27 22:15 6,892 ---hs---- C:\WINDOWS\system32\srutv.bak2
2007-11-18 20:21 . 2007-11-18 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-18 16:36 . 2007-11-28 14:21 6,660 ---hs---- C:\WINDOWS\system32\srutv.ini
2007-11-18 16:36 . 2007-11-22 04:37 6,510 ---hs---- C:\WINDOWS\system32\srutv.bak1
2007-11-18 16:26 . 2007-11-18 16:28 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-17 20:33 . 2007-11-18 17:11 <DIR> d-------- C:\VundoFix Backups
2007-11-15 20:47 . 2007-11-15 20:48 <DIR> d-------- C:\Documents and Settings\Joy\Application Data\SpyGuardPro
2007-11-15 20:46 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-15 20:40 . 2007-11-15 20:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-15 20:40 . 2007-11-15 20:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 20:40 . 2007-11-15 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 17:30 . 2007-11-15 17:30 <DIR> d-------- C:\Program Files\CCleaner
2007-11-15 17:20 . 2007-11-15 17:20 <DIR> d-------- C:\Documents and Settings\Joy\Application Data\Viewpoint
2007-11-15 17:19 . 2007-11-15 17:19 <DIR> d-------- C:\Documents and Settings\Joy\Application Data\AOL
2007-11-15 17:19 . 2003-01-10 16:13 33,588 --a------ C:\WINDOWS\system32\drivers\wanatw4.sys
2007-11-15 17:18 . 2004-04-07 11:45 225,280 --a------ C:\WINDOWS\system32\AOLDial.dll
2007-11-15 17:18 . 2007-11-15 17:18 2,220 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-13 18:55 . 2007-07-09 08:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 14:44 --------- d-----w C:\Program Files\GemMaster
2007-11-24 14:37 --------- d-----w C:\Program Files\RGB
2007-11-18 02:41 --------- d-----w C:\Program Files\Dell
2007-11-18 02:10 --------- d-----w C:\Program Files\Trend Micro
2007-11-15 22:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-15 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-06-28 15:34 23,706 ----a-w C:\Documents and Settings\Amanda\Application Data\wklnhst.dat
2006-02-02 22:15 58,600 ----a-w C:\Documents and Settings\Amanda\Application Data\GDIPFONTCACHEV1.DAT
2006-01-03 02:35 0 ----a-w C:\Documents and Settings\Joe\Application Data\wklnhst.dat
2007-06-28 15:37 56 --sh--r C:\WINDOWS\system32\7AEED9727C.sys
2007-06-28 15:37 3,610 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2007-11-06 02:31]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-27 09:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-11-27 09:14:36]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-02-16 11:08:44]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 17:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-24 14:11:23 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-11-24 14:11:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 22:28:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 22:29:52 - machine was rebooted
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users