Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With I Don't Know What!


  • Please log in to reply
6 replies to this topic

#1 tobygirl

tobygirl

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 30 September 2008 - 02:22 PM

I did all the prep. to post my hijack list log. I know I had a tinyproxy but I think I removed that but can't be certain. I think there is something else going on too. It all started when i downloaded something from facebook: " flash_update(2).exe. " it came in a message that looked like was one of my friends so I opened it. then all went crazy. to let you know...I know next to nothing about computers so I will need a detailed list on how to fix this. Here is my hijack list post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:31 AM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213740249389
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5621 bytes

BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 30 September 2008 - 03:45 PM

Hi

Your hijackthis log is clean :thumbsup:

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 tobygirl

tobygirl
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 30 September 2008 - 05:47 PM

here's my mbam-log as requested. I'm going to restart my comp. and go to the next step and then post that as you requested....thanks!

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 3

9/30/2008 3:39:24 PM
mbam-log-2008-09-30 (15-39-24).txt

Scan type: Quick Scan
Objects scanned: 42677
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Robin\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Application Data\AdwareAlert\Quarantine (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Application Data\AdwareAlert\Quarantine\27-09-2008-15-55-53 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Application Data\AdwareAlert\Quarantine\27-09-2008-15-55-53 (Rogue.AdwareAlert) -> Files: 391 -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Application Data\AdwareAlert\Quarantine\27-09-2008-15-55-53\195.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.

#4 tobygirl

tobygirl
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 30 September 2008 - 06:55 PM

here is the combo fix report. thanks for your help. If all is well do I still need all these different downloads on my computer. I now Have Lavasoft, spybot, stinger and combofix. I'm also running windows live onecare and Zone Alarm. I guess what my question is which should I keep and which should I get rid of.

ComboFix 08-09-30.03 - Robin 2008-09-30 16:24:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.625 [GMT -7:00]
Running from: C:\Documents and Settings\Robin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV


((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-30 15:26 . 2008-09-30 15:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-30 15:26 . 2008-09-30 15:26 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\Malwarebytes
2008-09-30 15:26 . 2008-09-30 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-30 15:26 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-30 15:26 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-30 05:02 . 2008-09-30 16:31 274,464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-30 05:02 . 2008-09-30 16:28 4,244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-30 04:58 . 2008-09-30 04:58 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-09-30 04:57 . 2008-09-30 04:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-30 04:57 . 2008-09-30 04:59 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-09-30 04:56 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-09-30 04:56 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-30 04:54 . 2008-09-30 04:54 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-28 16:15 . 2008-09-28 16:15 366 --a------ C:\WINDOWS\wininit.ini
2008-09-28 15:40 . 2008-09-28 15:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 15:40 . 2008-09-28 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 13:41 . 2008-09-28 13:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-27 16:28 . 2008-09-29 18:13 <DIR> d-------- C:\Documents and Settings\Robin\.housecall6.6
2008-09-27 11:21 . 2008-09-27 11:21 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-27 10:57 . 2008-09-27 10:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-27 10:13 . 2008-09-27 10:19 107 --a------ C:\Documents and Settings\Robin\Application Data\netstat.bat
2008-09-26 20:29 . 2008-09-26 20:29 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\Sunbelt
2008-09-26 20:29 . 2008-09-26 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-09-26 20:27 . 2008-09-26 20:27 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-09-26 10:54 . 2008-09-26 10:54 244 --ah----- C:\sqmnoopt19.sqm
2008-09-26 10:54 . 2008-09-26 10:54 232 --ah----- C:\sqmdata19.sqm
2008-09-26 10:53 . 2008-09-26 10:53 244 --ah----- C:\sqmnoopt18.sqm
2008-09-26 10:53 . 2008-09-26 10:53 232 --ah----- C:\sqmdata18.sqm
2008-09-26 10:52 . 2008-09-26 10:52 244 --ah----- C:\sqmnoopt17.sqm
2008-09-26 10:52 . 2008-09-26 10:52 232 --ah----- C:\sqmdata17.sqm
2008-09-26 10:22 . 2008-09-26 10:23 <DIR> d-------- C:\WINDOWS\LMIA5.tmp
2008-09-26 10:16 . 2008-09-27 15:27 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\MSN6
2008-09-26 10:16 . 2008-09-26 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-09-26 09:48 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-09-26 09:47 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-09-26 09:47 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-09-26 09:45 . 2008-09-30 14:36 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-09-26 08:55 . 2008-09-26 08:55 3,515 --a------ C:\WINDOWS\VRQCleanup.ini
2008-09-26 08:55 . 2008-09-26 08:55 230 --a------ C:\vrqtoolSREnable.reg
2008-09-26 08:41 . 2008-09-26 08:41 268 --ah----- C:\sqmdata16.sqm
2008-09-26 08:41 . 2008-09-26 08:41 244 --ah----- C:\sqmnoopt16.sqm
2008-09-26 06:46 . 2008-09-26 06:46 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-09-26 06:46 . 2008-09-26 06:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-26 06:10 . 2008-09-26 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-26 05:36 . 2008-09-26 05:36 268 --ah----- C:\sqmdata15.sqm
2008-09-26 05:36 . 2008-09-26 05:36 244 --ah----- C:\sqmnoopt15.sqm
2008-09-26 05:33 . 2008-09-26 05:33 268 --ah----- C:\sqmdata14.sqm
2008-09-26 05:33 . 2008-09-26 05:33 244 --ah----- C:\sqmnoopt14.sqm
2008-09-22 21:36 . 2008-09-22 21:36 64,601 --a------ C:\glowingshotglasses.png
2008-09-19 19:44 . 2008-09-19 19:44 <DIR> d-------- C:\Program Files\Disney
2008-09-19 16:07 . 2008-09-19 16:07 <DIR> d-------- C:\Program Files\MSECache
2008-09-15 21:32 . 2008-09-15 21:32 268 --ah----- C:\sqmdata13.sqm
2008-09-15 21:32 . 2008-09-15 21:32 244 --ah----- C:\sqmnoopt13.sqm
2008-09-15 11:46 . 2008-09-15 11:46 26,474 --a------ C:\ada.jpg
2008-09-15 00:01 . 2008-09-15 00:01 36,514 --a------ C:\heresmystory.jpg
2008-09-13 20:26 . 2008-09-13 20:26 34,917 --a------ C:\mojo5.jpg
2008-09-13 20:25 . 2008-09-13 20:25 40,717 --a------ C:\mojo3.jpg
2008-09-13 20:25 . 2008-09-13 20:25 28,650 --a------ C:\mojo4.jpg
2008-09-13 20:24 . 2008-09-13 20:24 49,884 --a------ C:\mojo 2.jpg
2008-09-13 20:23 . 2008-09-13 20:23 33,951 --a------ C:\mojo.jpg
2008-09-12 19:52 . 2008-09-12 19:52 294,242 --a------ C:\evnt5095_122124546048.JPG
2008-09-12 19:52 . 2008-09-12 19:52 249,628 --a------ C:\evnt5095_122124545644.JPG
2008-09-12 19:52 . 2008-09-12 19:52 147,477 --a------ C:\evnt5095_122124544634.JPG
2008-09-12 10:55 . 2008-09-12 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-09-11 15:13 . 2008-09-11 15:13 94,314 --a------ C:\wastedspace1-1-1.jpg
2008-09-11 15:06 . 2008-09-11 15:06 170,148 --a------ C:\wasted00 071.JPG
2008-09-11 15:06 . 2008-09-11 15:06 157,621 --a------ C:\wasted00 073.JPG
2008-09-11 15:04 . 2008-09-11 15:04 163,992 --a------ C:\wasted00 089.JPG
2008-09-11 15:03 . 2008-09-11 15:03 527 --a------ C:\module_thumbnails-div.results-ul-li-image-only.png
2008-09-11 14:50 . 2008-09-11 14:50 527 --a------ C:\wasted6.png
2008-09-11 14:49 . 2008-09-11 14:49 527 --a------ C:\wasted4.png
2008-09-11 14:49 . 2008-09-11 14:49 527 --a------ C:\wasted3.png
2008-09-11 14:49 . 2008-09-11 14:49 527 --a------ C:\wasted 2.png
2008-09-11 14:47 . 2008-09-11 14:47 527 --a------ C:\wasted space1.png
2008-09-11 13:47 . 2008-09-11 13:47 80,184 --a------ C:\wastedspace1.jpg
2008-09-11 04:53 . 2008-09-11 04:53 268 --ah----- C:\sqmdata12.sqm
2008-09-11 04:53 . 2008-09-11 04:53 244 --ah----- C:\sqmnoopt12.sqm
2008-09-10 15:07 . 2008-09-10 15:07 268 --ah----- C:\sqmdata11.sqm
2008-09-10 15:07 . 2008-09-10 15:07 244 --ah----- C:\sqmnoopt11.sqm
2008-09-09 22:51 . 2008-09-09 22:51 268 --ah----- C:\sqmdata10.sqm
2008-09-09 22:51 . 2008-09-09 22:51 244 --ah----- C:\sqmnoopt10.sqm
2008-09-09 17:50 . 2008-09-09 17:50 28,419 --a------ C:\hb.jpg
2008-09-08 18:34 . 2008-09-08 18:34 268 --ah----- C:\sqmdata09.sqm
2008-09-08 18:34 . 2008-09-08 18:34 244 --ah----- C:\sqmnoopt09.sqm
2008-09-08 15:44 . 2008-09-08 15:44 268 --ah----- C:\sqmdata08.sqm
2008-09-08 15:44 . 2008-09-08 15:44 244 --ah----- C:\sqmnoopt08.sqm
2008-09-06 12:39 . 2008-09-06 12:39 268 --ah----- C:\sqmdata07.sqm
2008-09-06 12:39 . 2008-09-06 12:39 244 --ah----- C:\sqmnoopt07.sqm
2008-09-06 03:45 . 2008-09-06 03:45 268 --ah----- C:\sqmdata06.sqm
2008-09-06 03:45 . 2008-09-06 03:45 244 --ah----- C:\sqmnoopt06.sqm
2008-09-02 13:15 . 2008-09-02 13:15 268 --ah----- C:\sqmdata05.sqm
2008-09-02 13:15 . 2008-09-02 13:15 244 --ah----- C:\sqmnoopt05.sqm
2008-09-02 10:24 . 2008-09-09 21:13 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\IMVU
2008-09-02 10:23 . 2008-09-02 10:36 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\IMVUClient
2008-08-29 16:21 . 2008-08-29 16:21 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-29 16:20 . 2008-08-29 16:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-25 23:55 . 2008-08-25 23:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-25 15:58 . 2008-08-25 15:58 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-08-23 10:04 . 2008-08-23 10:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-23 10:04 . 2008-08-23 10:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-23 10:04 . 2008-08-23 10:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-22 20:32 . 2008-04-13 17:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-08-20 13:03 . 2008-08-20 13:05 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-08-20 13:03 . 2008-09-15 15:41 24 --a------ C:\Documents and Settings\Robin\jagex_runescape_preferences.dat
2008-08-16 11:10 . 2008-08-16 11:10 268 --ah----- C:\sqmdata04.sqm
2008-08-16 11:10 . 2008-08-16 11:10 244 --ah----- C:\sqmnoopt04.sqm
2008-08-14 16:14 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 16:14 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 18:50 . 2008-08-29 16:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-12 18:50 . 2008-08-21 08:31 162,008 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-12 18:41 . 2008-08-14 18:59 <DIR> d-------- C:\Program Files\WarRock
2008-08-12 18:41 . 2008-08-12 18:41 <DIR> d-------- C:\Documents and Settings\Robin\Application Data\InstallShield
2008-08-11 13:01 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-08 15:03 . 2008-08-08 15:03 9,662 --a------ C:\WINDOWS\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-13 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 04:20 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-07-30 21:10 --------- d-----w C:\Program Files\Sun
2008-07-30 21:10 --------- d-----w C:\Program Files\Java
2008-07-30 21:09 --------- d-----w C:\Program Files\Common Files\Java
2008-07-28 02:43 --------- d-----w C:\Program Files\OGPlanet
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-18 18:34 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-09 16:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-08-08 67112]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 4891472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Robin^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Robin\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Robin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Robin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Robin^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Robin\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5800F Series]
--a------ 2005-05-09 21:00 98304 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIALA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2003-12-14 09:07 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2003-12-14 09:20 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 01:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2004-06-03 01:51 172032 C:\Program Files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-08-08 28200]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys [ ]
S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys [ ]
S3 XDva189;XDva189;C:\WINDOWS\system32\XDva189.sys [ ]
S3 XDva190;XDva190;C:\WINDOWS\system32\XDva190.sys [ ]
S3 XDva195;XDva195;C:\WINDOWS\system32\XDva195.sys [ ]
S4 Secondary Logon (seclogon) ;Secondary Logon (seclogon) ;C:\Program Files\TinyProxy\TinyProxy.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aca2bfa0-423f-11dd-a496-0013d4eb34d2}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Ceedo AutoDetect - C:\DOCUME~1\Robin\LOCALS~1\Temp\AutoDetect.exe
MSConfigStartUp-DW6 - C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-My Web Search Bar - C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Robin\Application Data\Mozilla\Firefox\Profiles\rhe02vzs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com/
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 16:29:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
.
**************************************************************************
.
Completion time: 2008-09-30 16:34:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-30 23:34:35

Pre-Run: 64,511,733,760 bytes free
Post-Run: 64,448,499,712 bytes free

266 --- E O F --- 2008-09-27 18:21:13

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 October 2008 - 04:31 PM

HI

You have a lot of .jpg (pictures) in your C:\ folder, I assume you know what they are ?

There is no malware shown :thumbsup:

If you are not having any problems ? I'll let you know what to do with the programs you've downloaded ... OK ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 tobygirl

tobygirl
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 01 October 2008 - 07:09 PM

I know what they are now...LOL. I got rid of them.

Yeah if you could tell me what's best to run on here as far as a fire wall and anti-virus etc. that would be great. You've been a big help!

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 02 October 2008 - 11:53 AM

Hi

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Now ... the other programs you mention :-

Lavasoft, spybot, stinger and combofix. I'm also running windows live onecare and Zone Alarm. I guess what my question is which should I keep and which should I get rid of.


Lavasoft (Adaware) is only active when you actually run a scan, so you can keep it, update it & run a scan occasionally if you want to, or remove it.

spybot I would advise keeping, use the immunisation facility in it, also make sure the 2 boxes for "resident" are checked ... SDHelper & TeaTimer ... remember to update regularly.

stinger ... you can remove this ...

combofix we've uninstalled that...

Windows Live OneCare includes antivirus and firewall protection ... is this a paid for version or just a free trial ?

If you are using the Windows Live OneCare firewall, then you don't need the ZoneAlarm firewall, you should only be running one or the other, not both...

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :thumbsup:

steam

Edited by steamwiz, 02 October 2008 - 11:55 AM.

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users