Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I Think Ive Got The Vundo Infection Poss. Something Else Just So Confused...


  • This topic is locked This topic is locked
9 replies to this topic

#1 huggin

huggin

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:10:37 PM

Posted 20 August 2008 - 03:22 PM

I Have been going crazy for the past two weeks trying to figure out what in the world is going on with my comp. It is really slow and I keep having to shut it down after it gets stuck on a page that want close. I have downloaded the Vundo Removal tool from Symtanec and I have ran it twice it says it has removed it but I still have major probs please help! this is my first time using these forums so I hope Im doing this right if not please look over me :thumbsup: so here is my hijack this log hope that someone can help Thanks!!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:57 PM, on 8/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1201265366093
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} -
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201241042937
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://207.5.168.68/activex/AMC.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08EA6273-FE12-41AB-A1EC-6D1281ADDD29}: NameServer = 208.104.244.45 208.104.2.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{08EA6273-FE12-41AB-A1EC-6D1281ADDD29}: NameServer = 208.104.244.45 208.104.2.36
O17 - HKLM\System\CS3\Services\Tcpip\..\{08EA6273-FE12-41AB-A1EC-6D1281ADDD29}: NameServer = 208.104.244.45 208.104.2.36
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10115 bytes

BC AdBot (Login to Remove)

 


#2 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 20 August 2008 - 05:26 PM

Hi huggin, welcome to BC.

Before we get into the fixes, please disable Spybot's TeaTimer, as it may interfere with the process.
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
Now, download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Next, please download Malwarebytes' Anti-Malware and save it to your Desktop.
Alternate download location
Alternate download location

Double-click mbam-setup.exe to install the application.
  • Make sure a check mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Please post that log in your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.



Then, please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next response, please be sure to include the logs from MBAM and Kaspersky along with a new HijackThis log.

#3 huggin

huggin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:10:37 PM

Posted 20 August 2008 - 08:16 PM

Ok here are the MBAM Log, Kaspersky Report and A New HiJack This report... Thanks 4 your help :thumbsup:



Malwarebytes' Anti-Malware 1.25
Database version: 1073
Windows 5.1.2600 Service Pack 3

6:48:40 PM 8/20/2008
mbam-log-08-20-2008 (18-48-40).txt

Scan type: Quick Scan
Objects scanned: 42199
Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
______________________________________________________________________________________________




KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 20, 2008 23:42:08
Records in database: 1116095


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 42461
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:01:36

File name Threat name Threats count
C:\Documents and Settings\TINA\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.

__________________________________________________________________________________________________




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:47 PM, on 8/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1201265366093
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} -
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201241042937
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://207.5.168.68/activex/AMC.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08EA6273-FE12-41AB-A1EC-6D1281ADDD29}: NameServer = 208.104.244.45 208.104.2.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{08EA6273-FE12-41AB-A1EC-6D1281ADDD29}: NameServer = 208.104.244.45 208.104.2.36
O17 - HKLM\System\CS3\Services\Tcpip\..\{08EA6273-FE12-41AB-A1EC-6D1281ADDD29}: NameServer = 208.104.244.45 208.104.2.36
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10151 bytes

#4 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 21 August 2008 - 12:16 PM

Hi again, let's rule out rootkits.

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
Note: If Blacklight does not work, rename fsbl.exe to zsbl.exe and try running it again.


Next, please download and unzip Rootkit Revealer to your desktop.

Note: Before performing a scan it is recommended to do the following to ensure the best results for a simpler and clearer log file to analyze:
1) Disconnect from or physically unplug the cable from the PC to the Internet connection.
2) Close down All Scheduling/Updating + Running Background tasks, etc.
3) Disable/turn off any program that might activate during the scan such as screensaver, anti-virus, anti-spyware. Programs that activate during the scan may cause RKR to display inaccurate/misleading log results.
4) Then after starting the scan, DO NOT not use the computer until the scan has completed.
5) When the scan has finished, save the log file and re-enable those programs you closed down, or reboot and then you can reconnect to the Internet.

Now launch rootkit revealer on the system and press the Scan button.
Please post the log here in this thread using Add Reply
(please double check that it has all been posted as it may be too long for one post)


Please be sure to include the logs from both Blacklight and RootikitRevealer.

#5 huggin

huggin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:10:37 PM

Posted 21 August 2008 - 04:13 PM

ok here they both r, again thanks :-)



08/21/08 16:06:16 [Info]: BlackLight Engine 1.0.70 initialized
08/21/08 16:06:16 [Info]: OS: 5.1 build 2600 (Service Pack 3)
08/21/08 16:06:16 [Note]: 7019 4
08/21/08 16:06:16 [Note]: 7005 0
08/21/08 16:06:23 [Note]: 7006 0
08/21/08 16:06:23 [Note]: 7011 1736
08/21/08 16:06:23 [Note]: 7035 0
08/21/08 16:06:23 [Note]: 7026 0
08/21/08 16:06:23 [Note]: 7026 0
08/21/08 16:06:30 [Note]: FSRAW library version 1.7.1024
08/21/08 16:12:17 [Note]: 7007 0


______________________________________________________________________________________________





HKLM\SECURITY\Policy\Secrets\SAC* 1/25/2008 1:33 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/25/2008 1:33 AM 0 bytes Key name contains embedded nulls (*)





____________________________________________________________________________________________________

#6 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 22 August 2008 - 09:23 AM

Hi again, let's do this.

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you. Please include the report (located at C:\ComboFix.txt) in your next response.

#7 huggin

huggin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:10:37 PM

Posted 23 August 2008 - 07:59 PM

ok Im Back... I ran ComboFix and here is the log....



ComboFix 08-08-23.01 - TINA 2008-08-23 20:51:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.139 [GMT -4:00]
Running from: C:\Documents and Settings\TINA\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\TINA\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\TINA\Application Data\macromedia\Flash Player\#SharedObjects\94MKSPXG\interclick.com
C:\Documents and Settings\TINA\Application Data\macromedia\Flash Player\#SharedObjects\94MKSPXG\interclick.com\ud.sol
C:\Documents and Settings\TINA\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\TINA\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\TINA\Cookies\tina@atd.agencytradingdesk[1].txt
C:\Documents and Settings\TINA\Cookies\tina@social.bidsystem[1].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-23 20:28 . 2008-08-23 20:28 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-08-21 16:12 . 2008-08-21 16:13 1,018,520 --a------ C:\zsbl.exe
2008-08-21 16:05 . 2008-08-21 16:05 1,018,520 --a------ C:\fsbl.exe
2008-08-21 07:34 . 2008-08-21 07:34 <DIR> d-------- C:\Program Files\Yahoo! Games
2008-08-20 10:34 . 2008-08-20 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-17 01:45 . 2008-08-17 01:45 <DIR> d-------- C:\VundoFix Backups
2008-08-16 18:24 . 2008-08-20 16:29 <DIR> d-------- C:\Program Files\MySpace Games
2008-08-13 09:43 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 09:42 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-05 16:27 . 2008-08-05 16:27 <DIR> d-------- C:\Documents and Settings\TINA\Application Data\Malwarebytes
2008-08-05 16:26 . 2008-08-20 18:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 16:26 . 2008-08-05 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 16:26 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 16:26 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-03 10:46 . 2008-08-03 10:46 <DIR> d-------- C:\Documents and Settings\TINA\Application Data\Windows Search
2008-08-02 21:47 . 2008-08-02 21:47 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-02 00:15 . 2008-08-02 00:15 2,236 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-02 00:14 . 2008-08-02 00:01 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-02 00:14 . 2008-08-02 00:01 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-02 00:14 . 2008-08-02 00:01 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-02 00:14 . 2008-08-02 00:01 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-02 00:14 . 2008-08-02 00:01 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-02 00:14 . 2008-08-02 00:01 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-02 00:08 . 2008-08-02 00:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-01 21:49 . 2008-08-01 22:06 <DIR> d-------- C:\Program Files\Wise Disk Cleaner
2008-08-01 21:47 . 2008-08-03 17:27 <DIR> d-------- C:\Program Files\Raxco
2008-08-01 21:43 . 2008-08-01 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-08-01 21:42 . 2008-08-20 10:24 <DIR> d-------- C:\Program Files\Wise Registry Cleaner 3
2008-07-31 23:26 . 2008-07-31 23:26 <DIR> d-------- C:\Documents and Settings\TINA\Application Data\Windows Desktop Search
2008-07-31 23:24 . 2008-07-31 23:24 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-31 23:24 . 2008-07-31 23:24 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-07-31 23:22 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-07-31 23:22 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-07-31 23:22 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-07-27 22:00 . 2008-07-28 05:32 13 --a------ C:\WINDOWS\popcinfo.dat
2008-07-27 21:30 . 2008-07-27 21:30 <DIR> d-------- C:\Program Files\TryMedia
2008-07-25 21:11 . 2008-08-23 16:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-25 21:11 . 2008-07-25 21:11 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 19:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-22 19:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-21 12:54 --------- d-----w C:\Documents and Settings\TINA\Application Data\Gamelab
2008-08-21 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 08:28 --------- d-----w C:\Documents and Settings\TINA\Application Data\Yahoo!
2008-08-20 15:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 14:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-20 14:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 14:18 --------- d-----w C:\Program Files\Yahoo!
2008-08-18 20:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-16 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2008-08-04 04:31 --------- d-----w C:\Program Files\MySpace
2008-07-28 01:21 --------- d-----w C:\Documents and Settings\TINA\Application Data\GameHouse
2008-07-28 01:14 --------- d-----w C:\Program Files\Common Files\Oberon Media
2008-07-21 17:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Shockwave
2008-07-21 17:02 --------- d-----w C:\Program Files\Java
2008-07-21 08:38 --------- d-----w C:\Program Files\Imikimi
2008-07-20 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-15 17:34 --------- d-----w C:\Program Files\Universal
2008-07-12 17:03 --------- d-----w C:\Documents and Settings\TINA\Application Data\PlayFirst
2008-07-12 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 02:51 --------- d-----w C:\Program Files\DivX
2008-07-11 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Oberon Games
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 16:36 --------- d-----w C:\Documents and Settings\TINA\Application Data\Move Networks
2008-07-07 04:22 --------- d-----w C:\Program Files\Axis Communications
2008-07-03 17:53 --------- d-----w C:\Documents and Settings\TINA\Application Data\SBTT
2008-07-03 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-06-30 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
2008-06-29 17:50 --------- d-----w C:\Documents and Settings\TINA\Application Data\Fever Frenzy
2008-06-26 09:38 --------- d-----w C:\Documents and Settings\TINA\Application Data\Gogii Games
2008-06-26 09:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii Games
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-27 02:21 1,582,592 ------w C:\WINDOWS\system32\tquery.dll
2008-05-27 02:21 1,418,240 ------w C:\WINDOWS\system32\mssrch.dll
2008-05-27 02:19 97,792 ------w C:\WINDOWS\system32\UncCplExt.dll
2008-05-27 02:19 273,408 ------w C:\WINDOWS\system32\oeph.dll
2008-05-27 02:19 2,048 ------w C:\WINDOWS\system32\UncRes.dll
2008-05-27 02:19 143,872 ------w C:\WINDOWS\system32\UncDMS.dll
2008-05-27 02:19 131,072 ------w C:\WINDOWS\system32\UncPH.dll
2008-05-27 02:19 11,264 ------w C:\WINDOWS\system32\oephRes.dll
2008-05-27 02:19 108,032 ------w C:\WINDOWS\system32\UncNE.dll
2008-05-27 02:18 71,680 ------w C:\WINDOWS\system32\propdefs.dll
2008-05-27 02:18 56,320 ------w C:\WINDOWS\system32\xmlfilter.dll
2008-05-27 02:18 44,032 ------w C:\WINDOWS\system32\msstrc.dll
2008-05-27 02:18 439,808 ------w C:\WINDOWS\system32\searchindexer.exe
2008-05-27 02:18 38,400 ------w C:\WINDOWS\system32\rtffilt.dll
2008-05-27 02:18 350,208 ------w C:\WINDOWS\system32\mssph.dll
2008-05-27 02:18 231,936 ------w C:\WINDOWS\system32\msshsq.dll
2008-05-27 02:18 203,776 ------w C:\WINDOWS\system32\mssphtb.dll
2008-05-27 02:18 184,832 ------w C:\WINDOWS\system32\searchprotocolhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\system32\searchfilterhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\system32\mssitlb.dll
2008-05-27 02:17 754,176 ------w C:\WINDOWS\system32\propsys.dll
2008-05-27 02:17 60,416 ------w C:\WINDOWS\system32\msscntrs.dll
2008-05-27 02:17 34,816 ------w C:\WINDOWS\system32\msscb.dll
2008-05-27 02:17 32,768 ------w C:\WINDOWS\system32\mssprxy.dll
2008-05-27 02:17 301,568 ------w C:\WINDOWS\system32\srchadmin.dll
2008-05-27 02:17 11,776 ------w C:\WINDOWS\system32\msshooks.dll
2008-05-27 01:59 18,904 ------w C:\WINDOWS\system32\structuredqueryschematrivial.bin
2008-05-27 01:59 106,605 ------w C:\WINDOWS\system32\structuredqueryschema.bin
2008-03-14 19:35 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-02-28 12:11 0 -c--a-w C:\Program Files\temp01
2008-05-11 03:59 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 10:38 78008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"S3Trayp"="S3trayp.exe" [2007-09-30 07:50 200704 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-30 19:42 16858624 C:\WINDOWS\RTHDCPL.exe]
"VTTimer"="VTTimer.exe" [2006-09-21 09:36 53248 C:\WINDOWS\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58 28672]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 21:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 18:39]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2008-04-17 05:57]
S3 WEBNTACCESS;WEBNTACCESS;C:\WINDOWS\system32\NTACCESS.SYS [2006-05-18 14:14]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-03-22 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1201302737.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]

2008-08-23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1203971895.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]

2008-08-22 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\TINA\Application Data\Mozilla\Firefox\Profiles\rnhw4oa0.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-amo&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 20:53:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 20:54:35
ComboFix-quarantined-files.txt 2008-08-24 00:54:24

Pre-Run: 68,288,094,208 bytes free
Post-Run: 68,346,519,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

224 --- E O F --- 2008-08-18 20:51:37

#8 huggin

huggin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:10:37 PM

Posted 24 August 2008 - 09:30 PM

Also I have started to notice that I am getting ALOT of About: Blank Page pop ups????

#9 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 24 August 2008 - 11:54 PM

Let's try this scan and see what it shows.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 AM

Posted 01 September 2008 - 05:15 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please send me a PM and I will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users