Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups


  • This topic is locked This topic is locked
12 replies to this topic

#1 REINOMARK

REINOMARK

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 13 May 2008 - 01:58 PM

hi
hope someone can help
i have been invaded by pop ups in the last 2 days...none b4...prob something i unzipped from limewire..dumb i know
i've run spy-bot and adaware to no avail. here is my hijack log file from today. thanks, mark

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:57 AM

Posted 14 May 2008 - 01:29 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Also, please do not attach your logs, but copy and paste them in the thread instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 REINOMARK

REINOMARK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 May 2008 - 11:28 AM

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:24:52 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\MARK\STARTM~1\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [windowmess] C:\DOCUME~1\MARK\APPLIC~1\REMOTE~1\DupePileCdrom.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127163068921
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://fantasygames.mlb.com/images/crs/spl...b_teamlogos.gif

--TRIED TO POST THE ANTIVAR LOG BUT IT WAS WAY TOO LONG W/ LOTS OF DETECTIONS,,THAT WERE QUARANTINED. RAN SCAN AGAIN THE NEXT DAY W/ NO DETECTIONS...BUT STILL GETTING POP-UPS.

THANKS
MARK
End of file - 9011 bytes

Edited by REINOMARK, 17 May 2008 - 11:32 AM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:57 AM

Posted 17 May 2008 - 11:47 AM

Hello,

--TRIED TO POST THE ANTIVAR LOG BUT IT WAS WAY TOO LONG W/ LOTS OF DETECTIONS,,THAT WERE QUARANTINED. RAN SCAN AGAIN THE NEXT DAY W/ NO DETECTIONS...BUT STILL GETTING POP-UPS.

Please upload the logfile from Avira here: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Then,

Go to start > controlpanel > software > add/remove programs and look if you have one or more of next programs installed and uninstall them:

Messenger Plus! Live & Sponsor (CiD)
DivoCodec
Bitroll
Bitgrabber
Bitdownload
Get-Torrent
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Netpumper
Search Plugin
Torrent101
WinZix
W3player
Zone Media


This because they are bundled with the malware you are dealing with (swizzor aka lop).

This will uninstall the malware application.
In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.
In case it says that the file was not found, doublecheck again if you entered the exact command. If still the same, proceed with next steps.


In case you can't find them,

* Go to start > run and copy and paste next command below in the field:
(Please make sure you copy and paste it exactly as you'll find below)

"C:\DOCUME~1\MARK\APPLIC~1\REMOTE~1\DupePileCdrom.exe" -uninstall

Hit enter.

Then reboot. Important!

After reboot,

* Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply together with a new Hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 REINOMARK

REINOMARK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 May 2008 - 08:16 PM

OK I THINK THAT DID IT...FOUND THE CID HELP PROG AND DELETED IT..HERE ARE THE OTHE LOGS YOU REQUESTED.

THANKS SO MUCH
MARK





Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 6:11:20 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\MARK\STARTM~1\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127163068921
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://fantasygames.mlb.com/images/crs/spl...b_teamlogos.gif

--
End of file - 8898 bytes
--------------------------------------------------------
No LOP job-files found
--------------------------------------------------------
Files in Windows Tasks folder

AppleSoftwareUpdate.job
McAfee.com Scan for Viruses - My Computer (MAIN-MARK).job
--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 9CA3-D5A4

Directory of C:\Documents and Settings\MARK\Application Data

05/17/2008 05:38 PM <DIR> .
05/17/2008 05:38 PM <DIR> ..
03/07/2006 10:35 AM <DIR> BITTOR~1 .bittorrent
01/07/2008 05:52 PM <DIR> Adobe
02/22/2007 01:04 AM <DIR> AdobeUM
08/09/2006 09:22 AM <DIR> AOL
10/13/2006 07:53 AM <DIR> APPLEC~1 Apple Computer
02/22/2007 01:03 AM <DIR> ArcSoft
01/03/2008 11:17 PM <DIR> Corel
05/21/2006 03:29 PM <DIR> Creative
01/11/2006 12:01 AM <DIR> DIMAGE
09/23/2005 09:34 PM <DIR> EuroTalk
09/23/2006 04:32 PM <DIR> Google
03/02/2008 05:47 PM <DIR> GTek
10/22/2005 12:33 PM <DIR> Help
03/08/2007 09:11 AM <DIR> ICACLI~1 ICAClient
03/10/2005 06:48 AM <DIR> IDENTI~1 Identities
10/27/2007 01:26 AM <DIR> IMAGEZ~1 Image Zone Express
03/10/2005 07:20 AM <DIR> JASCSO~1 Jasc Software Inc
05/22/2005 10:08 PM <DIR> LEADER~1 Leadertech
07/10/2005 05:08 PM <DIR> MACROM~1 Macromedia
12/06/2007 07:34 PM <DIR> MAGIX
04/17/2005 11:29 PM <DIR> MCAFEE~1.COM McAfee.com Personal Firewall
01/26/2007 06:46 PM <DIR> MICROS~1 Microsoft
01/21/2008 08:29 PM <DIR> MOVENE~1 Move Networks
10/27/2005 10:07 AM <DIR> Mozilla
11/15/2007 07:27 AM <DIR> Real
06/12/2006 01:47 AM <DIR> REGIST~1 Registry Booster
12/01/2007 09:45 PM <DIR> Snapfish
05/22/2005 10:10 PM <DIR> Sonic
03/10/2005 07:16 AM <DIR> Sun
10/27/2005 10:07 AM <DIR> Talkback
03/13/2008 01:45 PM <DIR> TaxCut
10/27/2005 10:08 AM <DIR> THUNDE~1 Thunderbird
01/07/2008 11:53 AM <DIR> ULEADS~1 Ulead Systems
01/19/2007 05:56 PM <DIR> VIEWPO~1 Viewpoint
04/30/2006 10:33 AM <DIR> YOU'VE~1 You've Got Pictures Screensaver
0 File(s) 0 bytes
37 Dir(s) 46,028,079,104 bytes free
Volume in drive C has no label.
Volume Serial Number is 9CA3-D5A4

Directory of C:\Documents and Settings\All Users\Application Data

05/14/2008 12:18 AM <DIR> .
05/14/2008 12:18 AM <DIR> ..
10/24/2006 06:37 PM <DIR> AOL
09/15/2007 09:21 PM <DIR> AOLDOW~1 AOL Downloads
09/15/2007 09:21 PM <DIR> AOLOCP~1 AOL OCP
02/24/2008 02:45 PM <DIR> Apple
10/05/2006 08:55 PM <DIR> APPLEC~1 Apple Computer
05/14/2008 12:18 AM <DIR> Avira
01/03/2008 11:04 PM <DIR> Corel
10/17/2006 02:55 PM <DIR> Google
05/17/2008 05:38 PM <DIR> GREATC~1 great coal love default
03/02/2008 05:48 PM <DIR> GTek
08/14/2007 11:05 AM <DIR> HP
03/10/2005 07:20 AM <DIR> INSTAL~1 InstallShield
03/10/2005 07:25 AM <DIR> Intuit
11/03/2007 10:11 AM <DIR> McAfee.com
06/06/2005 10:04 AM <DIR> MCAFEE~1.COM McAfee.com Personal Firewall
11/15/2007 08:13 AM <DIR> MICROS~1 Microsoft
03/23/2007 07:24 PM <DIR> pdf995
03/02/2008 10:29 AM <DIR> PURENE~1 Pure Networks
04/18/2005 01:12 AM <DIR> QUICKT~1 QuickTime
03/10/2005 06:48 AM <DIR> SBSI
06/13/2006 07:00 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
03/13/2008 01:43 PM <DIR> TaxCut
05/15/2008 08:49 AM <DIR> TEMP
01/31/2008 06:59 PM <DIR> ULEADS~1 Ulead Systems
02/22/2007 01:01 AM <DIR> VIEWPO~1 Viewpoint
09/19/2005 01:53 PM <DIR> WINDOW~1 Windows Genuine Advantage
0 File(s) 0 bytes
28 Dir(s) 46,028,075,008 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
All Users
CASEY
JULIE
MARK
MAX
--------------------------------------------------------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:57 AM

Posted 18 May 2008 - 01:00 AM

Hi,

Did you read this?

Please upload the logfile from Avira here: http://www.bleepingcomputer.com/submit-malware.php?channel=8


Also, since other malware is present in your log, most probably leftovers - I want to make sure that this infection is gone as well, so..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 REINOMARK

REINOMARK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 22 May 2008 - 11:54 PM

thanks miekiemoes

i posted the two new logs on the link you provided

mark

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:57 AM

Posted 23 May 2008 - 12:00 AM

Hi,

You uploaded your HijackThislog. So please reread my instructions again.
You had to upload the log from Avira and perform a scan with Combofix and copy and paste the combofix log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 REINOMARK

REINOMARK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 23 May 2008 - 01:12 AM

sorry, thought I copied both...
here's the combofix log

thx, mark



ComboFix 08-05-21.3 - MARK 2008-05-22 14:15:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.228 [GMT -7:00]
Running from: C:\Documents and Settings\MARK\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MARK\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\Program Files\winupdates
C:\WINDOWS\Fonts\'
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-22 08:23 . 2008-05-22 08:23 40 --a------ C:\WINDOWS\webica.ini
2008-05-17 09:24 . 2008-05-17 09:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-14 00:18 . 2008-05-14 00:18 <DIR> d-------- C:\Program Files\Avira
2008-05-14 00:18 . 2008-05-14 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-13 13:36 . 2008-05-13 13:36 <DIR> d-------- C:\Program Files\InterMute
2008-05-13 09:03 . 2008-05-13 23:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-13 09:03 . 2008-05-22 14:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 09:07 . 2008-05-11 09:07 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-05-11 09:05 . 2008-05-17 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\great coal love default
2008-05-11 09:04 . 2008-05-11 09:19 <DIR> d-------- C:\Program Files\BitDownload

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 17:30 119,496 ----a-w C:\Documents and Settings\MARK\Application Data\GDIPFONTCACHEV1.DAT
2008-05-17 06:29 --------- d-----w C:\Program Files\Dell
2008-05-17 06:26 --------- d--h--w C:\Documents and Settings\MARK\Application Data\Move Networks
2008-05-14 07:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-01 05:31 9,728 -csha-w C:\Program Files\Thumbs.db
2008-04-29 16:32 --------- d-----w C:\Program Files\America Online 9.0a
2008-04-11 23:17 --------- d-----w C:\Documents and Settings\MAX\Application Data\Gtek
2008-04-01 18:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-26 12:31 --------- d-----w C:\Documents and Settings\JULIE\Application Data\Gtek
2007-09-25 07:22 35,704 ----a-w C:\Documents and Settings\MARK\Application Data\wklnhst.dat
2007-05-29 05:04 545,752 -c--a-w C:\Program Files\sgc10_rdr80_DLM_en_US.exe
2007-05-04 03:36 559,856 -c--a-w C:\Program Files\WindowsXP-KB906569-v2-x86-ENU.exe
2006-08-19 05:35 534,112 -c--a-w C:\Program Files\psa30se_ytb612_a708_DLM_en_us.exe
2006-08-01 06:08 100,288 ----a-w C:\Documents and Settings\MAX\Application Data\GDIPFONTCACHEV1.DAT
2006-06-05 02:27 11,078 ----a-w C:\Documents and Settings\JULIE\Application Data\wklnhst.dat
2006-06-04 04:13 2,126 -c--a-w C:\Documents and Settings\CASEY\Application Data\wklnhst.dat
2006-06-04 04:10 99,504 -c--a-w C:\Documents and Settings\CASEY\Application Data\GDIPFONTCACHEV1.DAT
2006-06-02 02:16 2,990 ----a-w C:\Documents and Settings\MAX\Application Data\wklnhst.dat
2006-05-30 01:02 99,504 ----a-w C:\Documents and Settings\JULIE\Application Data\GDIPFONTCACHEV1.DAT
2005-12-02 20:53 20,921,040 -c--a-w C:\Program Files\AdbeRdr705_enu_full.exe
2005-10-27 17:05 4,878,136 -c--a-w C:\Program Files\Firefox Setup 1.0.7.exe
2005-10-27 17:04 6,034,480 -c--a-w C:\Program Files\Thunderbird Setup 1.0.7.exe
2005-10-04 15:17 353,298 -c--a-w C:\Program Files\LimeWireWin.exe
2005-09-01 17:09 10,420,936 -c--a-w C:\Program Files\xlviewer.exe
2005-06-02 00:42 7,170,500 -c--a-w C:\Program Files\atlas.rcf
2005-06-02 00:12 4,914 -c--a-w C:\Program Files\DeIsL1.isu
2005-04-09 06:37 4,985,856 -c--a-w C:\Program Files\DellPSPA521Patch_English.exe
2000-02-23 10:38 14,483 -c--a-w C:\Program Files\readme.txt
1998-08-20 16:50 804,352 -c--a-w C:\Program Files\roadie32.dll
1998-06-24 14:43 46,080 -c--a-w C:\Program Files\teaser.exe
1997-06-03 03:31 108,032 -c--a-w C:\Program Files\sh32w32.dll
1997-05-07 15:41 666,112 -c--a-w C:\Program Files\rwmath32.exe
1997-05-07 15:39 54,272 -c--a-w C:\Program Files\atmsg32.dll
1997-05-05 18:23 42,496 -c--a-w C:\Program Files\cport32.dll
1997-05-05 12:59 436,224 -c--a-w C:\Program Files\atres32.dll
1997-04-24 14:36 85,504 -c--a-w C:\Program Files\atsnd32.dll
1997-04-21 12:24 766 -c--a-w C:\Program Files\Website.ico
1997-04-10 09:23 316 -c--a-w C:\Program Files\teaser.ini
1997-04-08 17:25 83,968 -c--a-w C:\Program Files\atfio32.dll
1997-02-28 16:05 99,478 -c--a-w C:\Program Files\teaser.bmp
1997-02-26 14:30 766 -c--a-w C:\Program Files\UNRWM.ico
1997-02-26 14:14 766 -c--a-w C:\Program Files\RWM.ico
1997-01-09 18:51 54,784 -c--a-w C:\Program Files\atmidi32.dll
1996-06-17 16:14 266,240 -c--a-w C:\Program Files\msvcrt.dll
1996-06-14 21:20 74,752 -c--a-w C:\Program Files\msvcirt.dll
2008-01-04 06:17 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 13:18 68856]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 01:13 1591808]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
"AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [2005-07-25 22:30 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-16 13:00 531272]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]
Microsoft Office.lnk - C:\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 17:52 50736 C:\Program Files\Common Files\AOL\1142528435\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 16:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2006-11-16 13:42 183367 C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-17 13:18 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.0.4\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1142528435\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1142528435\\ee\\aim6.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"C:\\Program Files\\Common Files\\AOL\\1142528435\\ee\\AOLOpenRide.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys [2005-07-04 16:38]
S3 RmAx;RMAXUSB;C:\WINDOWS\system32\Drivers\RmAx.sys [2005-09-04 18:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 06:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (MAIN-MARK).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 14:25:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\SYSTEM32\FXSSVC.EXE
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\America Online 9.0a\shellmon.exe
.
**************************************************************************




Completion time: 2008-05-22 14:41:13 - machine was rebooted [MARK]
ComboFix-quarantined-files.txt 2008-05-22 21:41:09

Pre-Run: 45,872,287,744 bytes free
Post-Run: 46,482,305,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

207 --- E O F --- 2008-05-16 00:44:47

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:57 AM

Posted 23 May 2008 - 06:27 PM

Hi,

What problems are you currently still having?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 REINOMARK

REINOMARK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 23 May 2008 - 07:29 PM

the only thing i noticed is that i cant install the adobe flash player, ive tried to re- download it and it says complete, but still not working.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:57 AM

Posted 24 May 2008 - 12:02 AM

Hi,

Navigate to and delete the following folders:

C:\Documents and Settings\All Users\Application Data\great coal love default
C:\Program Files\BitDownload

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

For Your flashplayer, this is a common issue nowadays. Most people are having problems with this so, please see http://www.adobe.com/go/tn_19166

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Edited by miekiemoes, 24 May 2008 - 12:04 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:57 AM

Posted 28 May 2008 - 10:48 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users