Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 amarice

amarice

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 19 June 2008 - 10:56 AM

the computer goes incredibly slow and there are many error messages when i log on. it can barely open internet explorer. thx in advance for any help. here are the logs:

Deckard's System Scanner v20071014.68
Run by Amaris Done on 2008-06-19 11:54:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 3.68 GiB (less than 15%) free.


-- HijackThis (run as Amaris Done.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:23 AM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Elijah Done\Desktop\Install\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AMARIS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aim.com/today/aimtoday.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;;*.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: FrontierBA BHO - {A93A3CC1-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Frontier Browser Assistant - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\RunOnce: [SpybotDeletingA4326] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9017] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2827] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3072] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2385] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9802] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9789] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8240] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8292] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1528] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1480] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8105] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [MySpaceIM] C:\Documents and Settings\Elijah Done\Application Data\MySpace\IM\bin\MySpaceIM.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [RoboForm] "C:\Documents and Settings\Elijah Done\Application Data\RoboForm\RoboTaskBarIcon.exe" (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 Startup: hc_tray.lnk = C:\Documents and Settings\Elijah Done\My Documents\Kuma Games\hcsystray\hc_tray.exe (User 'Elijah Done')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 Startup: IM2 Messenger.lnk = C:\Program Files\Messenger2\messenger2.exe (User 'Elijah Done')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 User Startup: hc_tray.lnk = C:\Documents and Settings\Elijah Done\My Documents\Kuma Games\hcsystray\hc_tray.exe (User 'Elijah Done')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 User Startup: IM2 Messenger.lnk = C:\Program Files\Messenger2\messenger2.exe (User 'Elijah Done')
O4 - Startup: IM2 Messenger.lnk = C:\Program Files\Messenger2\messenger2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZC
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157801047171
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://images.google.com/images?q=tbn:mP9k.../monkey_016.jpg

--
End of file - 14173 bytes

-- Files created between 2008-05-19 and 2008-06-19 -----------------------------

2008-06-19 11:36:04 0 d-------- \Deckard
2008-06-18 10:02:32 0 d-------- C:\Program Files\Trend Micro
2008-06-16 23:55:06 0 d-------- C:\Documents and Settings\Elijah Done\Application Data\Lavasoft
2008-06-16 17:51:21 0 d-------- C:\Documents and Settings\Elijah Done\Application Data\Spybot - Search & Destroy
2008-06-16 16:03:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-10 09:07:05 0 d-------- C:\Documents and Settings\Elijah Done\Application Data\InstallShield
2008-06-03 19:18:01 0 d-------- C:\Program Files\AIM6
2008-05-30 08:36:08 0 d-------- C:\Documents and Settings\Admin\Application Data\MySpace
2008-05-30 08:33:52 535891968 --ahs---- \hiberfil.sys


-- Find3M Report ---------------------------------------------------------------

2008-06-19 11:24:55 805306368 --ahs---- \pagefile.sys
2008-06-16 16:03:12 0 d-------- C:\Program Files\Lavasoft
2008-06-16 16:02:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 16:22:39 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-04 20:57:48 0 d-------- C:\Program Files\Common Files\aol
2008-06-04 20:57:48 0 d-------- C:\Program Files\AIM
2008-06-03 19:20:41 0 d-------- C:\Documents and Settings\Amaris Done\Application Data\LimeWire
2008-06-03 19:18:51 0 d-------- C:\Program Files\Common Files
2008-05-30 09:18:22 0 d-------- C:\Program Files\AIM Games
2008-05-30 09:10:49 0 d-------- C:\Program Files\SIERRA
2008-05-30 09:10:16 0 d-------- C:\Program Files\Nova Development
2008-05-30 09:03:05 0 d-------- C:\Program Files\GameSpy Arcade
2008-05-30 08:59:19 0 d-------- C:\Program Files\Brother
2008-05-30 08:59:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-30 08:59:17 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-30 08:54:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-30 08:52:35 0 d-------- C:\Program Files\Carmen Math Detective
2008-05-18 10:56:36 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr <Not Verified; FunWebProducts.com; Popular Screensavers>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 03:16 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/24/2003 06:41 PM]
"nwiz"="nwiz.exe" [10/06/2003 03:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [02/07/2007 08:51 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [11/07/2006 11:29 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [01/11/2007 09:45 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB9789"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingD8240"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingB8292"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingD1528"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingB1480"=command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
"SpybotDeletingD8105"=cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA4326"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingC9017"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingA2827"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingC3072"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingA2385"=command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
"SpybotDeletingC9802"=cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t


-- End of Deckard's System Scanner: finished at 2008-06-19 11:54:39 ------------

BC AdBot (Login to Remove)

 


#2 Deacon10

Deacon10

  • Members
  • 240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa Area Florida
  • Local time:01:05 AM

Posted 19 June 2008 - 12:16 PM

"Welcome to BleepingComputer.com"

Hi There. I'm Deacon10 or Larry if you prefer and will be working with you to resolve your problems. I am reviewing your log which requires an amount of research, so please be patient.
Just a few notes I tell everybody I work with:
  • Please reply to this thread. Do not start a new topic.
  • If you have any questions or don't understand something please stop and ask before you proceed.
  • Please set aside enough time to complete all the steps in each post and follow these instructions in the order stated.
  • If you have circumstances that you are aware of that will delay your response, then please let me know. This is to insure that your topic remains open and I don't close it to start a new post.
  • Please continue here with me until I tell you your system is free from malware. :tup:
    Just because a symptom disappears does not mean your system is clean.
  • The following fix is specifically designed for this users post and this machine only!

Deacon10

"Hindsight explains the injury that foresight would have prevented”

#3 amarice

amarice
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 19 June 2008 - 02:18 PM

thanks for the help in advance. my name is ian.

#4 Deacon10

Deacon10

  • Members
  • 240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa Area Florida
  • Local time:01:05 AM

Posted 19 June 2008 - 04:09 PM

Hi americe,
You are very welcome!


Download Malwarebytes' Anti-Malware from HERE or from HERE

Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware; then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform full scan"; then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad. You may be prompted to Restart (See Extra Note).
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

POST BACK WITH:
MBAM Log
A new DSS Scan
Deacon10

"Hindsight explains the injury that foresight would have prevented”

#5 amarice

amarice
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 19 June 2008 - 05:53 PM

MBAM log:

Malwarebytes' Anti-Malware 1.17
Database version: 870

6:51:44 PM 6/19/2008
mbam-log-6-19-2008 (18-51-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 165744
Time elapsed: 1 hour(s), 11 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\20080619115414\backup\WINDOWS\temp\ONE25.tmp\upgrade.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\home.js (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\onestep.dll (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\osopt.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\readme.html (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\uninstall.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.

DSS log:

Deckard's System Scanner v20071014.68
Run by Amaris Done on 2008-06-19 18:53:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 3.59 GiB (less than 15%) free.


-- HijackThis (run as Amaris Done.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:06 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Elijah Done\Desktop\Install\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AMARIS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aim.com/today/aimtoday.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;;*.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: FrontierBA BHO - {A93A3CC1-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Frontier Browser Assistant - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\RunOnce: [SpybotDeletingA4326] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9017] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2827] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3072] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2385] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9802] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9789] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8240] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8292] command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1528] cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1480] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8105] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [MySpaceIM] C:\Documents and Settings\Elijah Done\Application Data\MySpace\IM\bin\MySpaceIM.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [RoboForm] "C:\Documents and Settings\Elijah Done\Application Data\RoboForm\RoboTaskBarIcon.exe" (User 'Elijah Done')
O4 - HKUS\S-1-5-21-3202803940-171261624-1627371184-1009\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Elijah Done')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 Startup: hc_tray.lnk = C:\Documents and Settings\Elijah Done\My Documents\Kuma Games\hcsystray\hc_tray.exe (User 'Elijah Done')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 Startup: IM2 Messenger.lnk = C:\Program Files\Messenger2\messenger2.exe (User 'Elijah Done')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 User Startup: hc_tray.lnk = C:\Documents and Settings\Elijah Done\My Documents\Kuma Games\hcsystray\hc_tray.exe (User 'Elijah Done')
O4 - S-1-5-21-3202803940-171261624-1627371184-1009 User Startup: IM2 Messenger.lnk = C:\Program Files\Messenger2\messenger2.exe (User 'Elijah Done')
O4 - Startup: IM2 Messenger.lnk = C:\Program Files\Messenger2\messenger2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZC
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157801047171
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://images.google.com/images?q=tbn:mP9k.../monkey_016.jpg

--
End of file - 14172 bytes

-- Files created between 2008-05-19 and 2008-06-19 -----------------------------

2008-06-19 17:19:45 0 d-------- C:\Documents and Settings\Amaris Done\Application Data\Malwarebytes
2008-06-19 17:19:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 17:19:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 11:36:04 0 d-------- \Deckard
2008-06-18 10:02:32 0 d-------- C:\Program Files\Trend Micro
2008-06-16 23:55:06 0 d-------- C:\Documents and Settings\Elijah Done\Application Data\Lavasoft
2008-06-16 17:51:21 0 d-------- C:\Documents and Settings\Elijah Done\Application Data\Spybot - Search & Destroy
2008-06-16 16:03:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-10 09:07:05 0 d-------- C:\Documents and Settings\Elijah Done\Application Data\InstallShield
2008-06-03 19:18:01 0 d-------- C:\Program Files\AIM6
2008-05-30 08:36:08 0 d-------- C:\Documents and Settings\Admin\Application Data\MySpace
2008-05-30 08:33:52 535891968 --ahs---- \hiberfil.sys


-- Find3M Report ---------------------------------------------------------------

2008-06-19 11:24:55 805306368 --ahs---- \pagefile.sys
2008-06-16 16:03:12 0 d-------- C:\Program Files\Lavasoft
2008-06-16 16:02:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 16:22:39 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-04 20:57:48 0 d-------- C:\Program Files\Common Files\aol
2008-06-04 20:57:48 0 d-------- C:\Program Files\AIM
2008-06-03 19:20:41 0 d-------- C:\Documents and Settings\Amaris Done\Application Data\LimeWire
2008-06-03 19:18:51 0 d-------- C:\Program Files\Common Files
2008-05-30 09:18:22 0 d-------- C:\Program Files\AIM Games
2008-05-30 09:10:49 0 d-------- C:\Program Files\SIERRA
2008-05-30 09:10:16 0 d-------- C:\Program Files\Nova Development
2008-05-30 09:03:05 0 d-------- C:\Program Files\GameSpy Arcade
2008-05-30 08:59:19 0 d-------- C:\Program Files\Brother
2008-05-30 08:59:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-30 08:59:17 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-30 08:54:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-30 08:52:35 0 d-------- C:\Program Files\Carmen Math Detective


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 03:16 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/24/2003 06:41 PM]
"nwiz"="nwiz.exe" [10/06/2003 03:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [02/07/2007 08:51 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [11/07/2006 11:29 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [01/11/2007 09:45 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB9789"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingD8240"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingB8292"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingD1528"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingB1480"=command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
"SpybotDeletingD8105"=cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA4326"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingC9017"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
"SpybotDeletingA2827"=command /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingC3072"=cmd /c del "C:\Documents and Settings\isaiah done\Application Data\ShoppingReport\cs\res1\WhiteList.dbs"
"SpybotDeletingA2385"=command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
"SpybotDeletingC9802"=cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t


-- End of Deckard's System Scanner: finished at 2008-06-19 18:53:26 ------------

#6 Deacon10

Deacon10

  • Members
  • 240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa Area Florida
  • Local time:01:05 AM

Posted 20 June 2008 - 09:36 PM

Hello Ian,
Please follow these directions in the order posted below

:spacer:
Disable Windows Defender real time protection
Please leave it disabled during the cleaning process.
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
After all of the fixes are complete it is very important that you enable the real-time protection again.

:)
You have a service running that is Adware. Let's take care of that.

Click start->Run.... Copy and paste in the following commands one at a time and click OK each time.

sc stop FreezeScreenSaver
sc delete FreezeScreenSaver


:thumbsup:
I notice that you have Weatherbug installed. While this is not spyware, it is considered to be adware. On the other hand, Weatherbug claims that their product does not serve pop-ups, as long as you specifically select the custom install options and choose to not install the spyware. You can get basically the same functionality without the pop-ups by downloading the spyware-free Weather Pulse from here or from here. It is your choice whether to keep Weatherbug or not.

Should you decide to uninstall Weatherbug, make sure the program is not running before uninstalling it. If there is a WeatherBug icon in the system tray (in the lower right hand corner of the screen by the clock) you'll need to right-click on it and choose "Exit WeatherBug" or "Terminate Weatherbug".


:spacer:
Uninstall MyWebSearch and any of the following programs associated with it if present:
- Go to Start > Control Panel > Add/Remove Programs
- Select MyWebSearch > click Remove
- If any of these are listed, select each one at a time and click Remove for each one:
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way
Weatherbug < If you decide to remove it. Make sure the program is not running before uninstalling it.
- Exit.

:spacer:
Please run Hijackthis and select "Do a system scan only" and place a check beside each of the following if they are present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\RunOnce: [SpybotDeletingA2385] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9802] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1480] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8105] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL"
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe

:spacer:
Delete the following files and or folders:

Go to the start menu
Select Run and type in explorer
Now navigate using the left hand menu to the following folders. Delete the whole file and/or folder as highlighted in black

C:\WINDOWS\system32\FreezeScreenSaver.exe<--DELETE FILE
C:\PROGRA~1\MYWEBS~1<--DELETE FOLDER
C:\Program Files\MyWebSearch<--DELETE FOLDER

Reboot your computer

:spacer:
You have an outdated version of Java which, because of security reasons, needs to be updated. To update Java:
- Download the latest version of Java Runtime Environment (JRE) 6u6 from
HERE
and save it to your Desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel > Add/Remove Programs and remove ALL older versions of Java by checking any item, one at a time, with Java Runtime Environment (JRE or J2SE) in the name. It should have the coffee cup icon next to it.
- For each item that you check, click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove ALL of the Java versions.
- REBOOT your computer once ALL Java components are removed.
- Then from your Desktop, double-click on the newly-downloaded Java file to install the newest version.

:thumbup2:
Perform an online scan with Kaspersky Online Scanner
1. Read the Requirements and Privacy statement, then select "Accept"
2. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
3. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. When the download is complete it will say ready, click "Next".
5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases"7. Click "OK".
8. Under "Select a target to scan", click on "My Computer".
9. When the scan is complete, choose to save the results as Save as Text named kaspersky.txt to your Desktop and post it in your next reply.

:spacer:

Preform a complete DSS scan.
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

Please post back with:
kaspersky.txt Log
DSS Main txt
DSS extra txt
A description of how your system is running now

Deacon10

"Hindsight explains the injury that foresight would have prevented”

#7 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:05 AM

Posted 27 June 2008 - 10:53 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users