Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virutmonde/smitfraudc - Any Help Appreciated


  • Please log in to reply
13 replies to this topic

#1 mprod

mprod

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 13 February 2008 - 05:16 PM

Hi,

First time member. Greetings!

I currently have the following malware: Smitfraudc and Virtumonde. I've tried running the executable fixes for this and it seems to have worked for smitfraudc however vundofix did not work. Spybot still detects the virtumonde.generic when ran in safe mode.

Please advice.

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:42 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Susie Burke\Application Data\U3\000018742C609287\LaunchPad.exe
C:\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pusd.org/
F3 - REG:win.ini: load=C:\WINDOWS\system32\mljjg.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140456113031
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

--
End of file - 3730 bytes

Thanks in advance,
MPRod

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:29 PM

Posted 13 February 2008 - 07:30 PM

Hello mprod,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 mprod

mprod
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 14 February 2008 - 06:41 PM

Thank you for your reply here are my logs:

Combo Fix:
Start Time= Wed 02/13/2008 19:47:49.09

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-13 19:46:36 328192 ( A.... ) "C:\WINDOWS\system32\mljjg.exe"
2008-02-13 19:46:34 345088 ( A.... ) "C:\WINDOWS\system32\ctfmon.exe"
2008-02-13 19:38:52 15360 ( A.... ) "C:\WINDOWS\system32\ctfmon .exe"
2008-02-13 13:25:58 324608 ( A.... ) "C:\WINDOWS\system32\mljjg.dll"
2008-02-10 21:09:50 ( .D... ) "C:\Program Files\DellSupport"
2008-02-10 20:51:36 196 ( A.... ) "C:\rem.reg"
2008-02-10 20:50:42 1080 ( A.... ) "C:\terodbsh .bat"
2008-02-10 20:50:38 1080 ( A.... ) "C:\hlkynuct .bat"
2008-02-10 20:50:20 114688 ( A.... ) "C:\WINDOWS\system32\igfxpers .exe"
2008-02-10 20:50:18 94208 ( A.... ) "C:\WINDOWS\system32\igfxtray .exe"
2008-02-10 20:43:38 329216 ( A.... ) "C:\terodbsh.bat"
2008-02-10 20:43:36 329216 ( A.... ) "C:\hlkynuct.bat"
2008-01-08 16:43:16 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2008-01-06 22:36:00 77824 ( A.... ) "C:\WINDOWS\system32\hkcmd .exe"
2008-01-06 22:00:18 41472 ( ..... ) "C:\WINDOWS\system32\wvustsp.dll"
2008-01-02 10:21:36 17642616 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-12-22 17:14:00 ( .D... ) "C:\Documents and Settings\Susie Burke\Application Data\U3"
2007-12-14 01:59:16 139264 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2007-12-14 00:57:24 135168 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2007-12-14 00:57:22 135168 ( A.... ) "C:\WINDOWS\system32\java.exe"
2007-11-29 14:30:16 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2007-11-29 14:30:16 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2007-11-16 09:55:40 3766 ( A.... ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2007-11-13 03:31:12 60416 ( A.... ) "C:\WINDOWS\system32\tzchange.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SigmatelSysTrayApp"="stsystra.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Uaol"="\"C:\\DOCUME~1\\SUSIEB~1\\APPLIC~1\\RACLE~1\\winspool.exe\" -vt yazb"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"="C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9d.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E1759A31-E627-4758-9562-6899DF36C9C2}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"item"="PowerReg Scheduler"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=dword:00000002
"cmdService"=dword:00000002
"aawservice"=dword:00000002
"ose"=dword:00000003
"iPod Service"=dword:00000003
"IDriverT"=dword:00000003
"gusvc"=dword:00000003
"DSBrokerService"=dword:00000003
"Apple Mobile Device"=dword:00000002
"CCALib8"=dword:00000002
"AOL ACS"=dword:00000002


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: Wed 02/13/2008 19:49:43.90
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

#4 mprod

mprod
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 14 February 2008 - 06:42 PM

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:08 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pusd.org/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\SUSIEB~1\APPLIC~1\RACLE~1\winspool.exe" -vt yazb
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140456113031
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 4731 bytes

#5 mprod

mprod
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 14 February 2008 - 07:17 PM

I also wanted to mention that I ran Spybot in safemode again and managed to pickup instances of Smitfraud-C.CoreService and Virtumonde.generic again. Please advice.

Thank you,

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:29 PM

Posted 15 February 2008 - 12:14 PM

Hello,

What you're seeing is likely either in system restore, or in a quarantine folder. We'll fix that in the next post. :thumbsup:

Please open Notepad and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Uaol"=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

I need to see a log made in normal mode, please.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 mprod

mprod
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 15 February 2008 - 01:21 PM

Thanks for the reply Tea!

Anyhow, registry has been added.

Heres my Normal Mode HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:40 AM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pusd.org/
F3 - REG:win.ini: load=C:\WINDOWS\system32\mljjg.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [c4a19e9d] rundll32.exe "C:\WINDOWS\system32\dqyfuokf.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140456113031
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5999 bytes


Would you need a combofix log in normal mode as well?

Thank you

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:29 PM

Posted 15 February 2008 - 01:52 PM

Yes, please. :thumbsup: I don't think I asked you to run any of that in safe mode. Unless otherwise specified, please do the fixes in normal mode.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 mprod

mprod
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 15 February 2008 - 02:22 PM

Sorry Tea. That was my fault, went for my assumption hehe :thumbsup:

Anyhow here is my current ComboFix log in Normal Mode:

Start Time= Fri 02/15/2008 11:17:39.01

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-15 10:09:04 328192 ( A.... ) "C:\WINDOWS\system32\mljjg.exe"
2008-02-15 10:08:42 324608 ( A.... ) "C:\WINDOWS\system32\mljjg.dll"
2008-02-15 10:07:08 134 ( ..SH. ) "C:\WINDOWS\system32\yuriejkp.dllbox"
2008-02-14 21:47:20 15360 ( A.... ) "C:\WINDOWS\system32\ctfmon .exe"
2008-02-10 21:09:50 ( .D... ) "C:\Program Files\DellSupport"
2008-02-10 20:51:36 196 ( A.... ) "C:\rem.reg"
2008-02-10 20:50:42 1080 ( A.... ) "C:\terodbsh .bat"
2008-02-10 20:50:38 1080 ( A.... ) "C:\hlkynuct .bat"
2008-02-10 20:50:20 114688 ( A.... ) "C:\WINDOWS\system32\igfxpers .exe"
2008-02-10 20:50:18 94208 ( A.... ) "C:\WINDOWS\system32\igfxtray .exe"
2008-02-10 20:43:38 329216 ( A.... ) "C:\terodbsh.bat"
2008-02-10 20:43:36 329216 ( A.... ) "C:\hlkynuct.bat"
2008-01-08 16:43:16 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2008-01-06 22:36:00 77824 ( A.... ) "C:\WINDOWS\system32\hkcmd .exe"
2008-01-06 22:00:18 41472 ( ..... ) "C:\WINDOWS\system32\wvustsp.dll"
2008-01-02 10:21:36 17642616 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-12-22 17:14:00 ( .D... ) "C:\Documents and Settings\Susie Burke\Application Data\U3"
2007-12-14 01:59:16 139264 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2007-12-14 00:57:24 135168 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2007-12-14 00:57:22 135168 ( A.... ) "C:\WINDOWS\system32\java.exe"
2007-11-29 14:30:16 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2007-11-29 14:30:16 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2007-11-16 09:55:40 3766 ( A.... ) "C:\WINDOWS\system32\KGyGaAvL.sys"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SigmatelSysTrayApp"="stsystra.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"c4a19e9d"="rundll32.exe \"C:\\WINDOWS\\system32\\dqyfuokf.dll\",b"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E1759A31-E627-4758-9562-6899DF36C9C2}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler .exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler .exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler .exe"
"item"="PowerReg Scheduler "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Susie Burke^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"path"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Susie Burke\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"item"="PowerReg Scheduler"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=dword:00000002
"cmdService"=dword:00000002
"aawservice"=dword:00000002
"ose"=dword:00000003
"iPod Service"=dword:00000003
"IDriverT"=dword:00000003
"gusvc"=dword:00000003
"DSBrokerService"=dword:00000003
"Apple Mobile Device"=dword:00000002
"CCALib8"=dword:00000002
"AOL ACS"=dword:00000002


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: Fri 02/15/2008 11:18:55.01
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:29 PM

Posted 15 February 2008 - 02:56 PM

Hello,

That just doesn't look right still. :thumbsup: Please delete the version of ComboFix you have now and get a fresh copy. Then, go offline and disable all your protection programs and run ComboFix. Be sure to re enable your programs before you come back online to post the report. Can you tell me why it says QuickScan on it? That should not be like that.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 mprod

mprod
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 15 February 2008 - 03:34 PM

Hi Tea,

I feel like i'm doing something wrong here :blink: , the text "quick scan" keeps coming up in the log. I went offline and disabled all my protection. I also downloaded the combofix from this thread from the 2nd link provided and placed it on my desktop. I then ran the executable and it goes to 1 prompt asking for y/n to run the scan. Upon entering "y", the top line states "peforming a quick scan of your machine". After, it states "preparing log report". Once that has finished my disk cleanup utility runs and cleans out temp files and then a text file of the log shows up. Am I doing something wrong? :thumbsup:

Thank you,
mprod

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:29 PM

Posted 15 February 2008 - 03:42 PM

Hello,

Okay, let's forget it for now. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

F3 - REG:win.ini: load=C:\WINDOWS\system32\mljjg.exe
O4 - HKLM\..\Run: [c4a19e9d] rundll32.exe "C:\WINDOWS\system32\dqyfuokf.dll",b


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Delete the files :

C:\WINDOWS\system32\mljjg.exe
C:\WINDOWS\system32\dqyfuokf.dll

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 mprod

mprod
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 15 February 2008 - 05:58 PM

Hi Tea, thanks again for all your help.

Anyhow, everything has been done as requested however, as I was saving the logfile from DrWeb, it failed stating that I do not have sufficient system resource. I tried opening my performance log to see where it is but I was not able to. I then tried to proceed without saving the log file and as I was trying to reboot, I received the blue screen :thumbsup:.

There was 1 incurubale item on the list
Object: aolconnfix.exe
Path: C:\
Satus: Trojan.PWS.Gamania.origin
Action: Incurable.Moved.

The rest of the virus/trojans found was deleted, a total of 84

Here is my current HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:54 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pusd.org/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140456113031
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6596 bytes

Thank you,
mprod

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:29 PM

Posted 15 February 2008 - 07:32 PM

Hello,

Fix these and see if it helps:

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer a time or two and let me know how it's running. If it's runnin well, then try ComboFix again, just for kicks.....I really think we've got this beat. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users