Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I don't know what is wrong with my computer


  • This topic is locked This topic is locked
34 replies to this topic

#1 shellyj1426

shellyj1426

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 08 December 2008 - 11:30 PM

It all started 3 or 4 days ago when my mcafee warned me it detected a trojan I was online and I imediately got off and ran a scan nothing popped up, but I suddenly had a little sheild in the lower right hand side of my tool bar saying that i had malicious something or another and if I click on it it took me to some website. Well when I got up saturday morning all that would come up when I could get windows to open is wall paper and the task manager if I requested it. But running in normal mode my computer freezes after 5 or 10 minutes and I couldn't run Mcafee or connect to the internet. So today at work I did some research and I am on is safe mode now I ran Spybot and it remove a bunch of stuff but my problem still is the same Wallpaper online so now back in safe mode I have heard abou this hijackthis stuff so here is my log: Please help me if you can.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:10 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: avrlabsWarningBHO Class - {D695B871-8020-4041-A6D2-59F922E1B2E2} - C:\Program Files\avrlabs\avrlabsWarning.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1198413857\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [mcinfo_1207738977] C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\mcinfo_1207738977.exe /insfin
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /install
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [McafWelcome] C:\PROGRA~1\McAfee.com\Agent\mcwelcom.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [MPFService] C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe -i
O4 - HKLM\..\RunOnce: [MSKSrvr.exe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe /regserver
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WarningApp] C:\Program Files\Adware Safebot\WarningApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [avrlabs] "C:\Program Files\avrlabs\avrlabs.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Hot%20Dish%202/Images/stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Cooking%20Academy/Images/armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: achromatic - {61d70260-527c-44e8-bb23-2243e93808d3} - C:\WINDOWS\system32\gtckad.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0050961228789298) (0050961228789298mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\005096~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14346 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:51 PM

Posted 09 December 2008 - 07:13 AM

Hello shellyj1426,

Posted Image

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 09 December 2008 - 08:40 AM

New problem I went to check this forum this morning on my home computer and now it won't boot in safe mode with networking. It starts the process with the white letting on the black screen then freezes up. I tried to log in the normal way and it is still just wall paper and won't connect the internet using task manager the browser comes up but it doesn't connect or open a page. Any advice? I am at work now and can read the forum I will print instructions and try them at home. I am a really novice computer user so please have patience and detailed explanations. I appreciate your help.

Michelle

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:51 PM

Posted 09 December 2008 - 09:04 AM

Hi Michelle,

Do you have access to a pen/flash drive? If so you can transfer these tools to the infected machine and we can see if we can make some headway that way. :thumbsup: Please let me know.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 09 December 2008 - 09:07 AM

I do have access to a pen drive I will have to take it home with me and add the programs on my friends computer then run them on mine. Where I work I can't download anything on my machine without getting in trouble. How exactly do I do this? With your instruction I will try it tonight and see if I can get anywhere.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:51 PM

Posted 09 December 2008 - 09:35 AM

Hi,

Download the following tools, then copy them to the pen drive. You can do this by right clicking on them and choosing copy, then paste into the pen drive, or by simply dragging and dropping from the desktop to the pen drive.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

If you still don't have access to the internet after running ComboFix, then don't worry about the updates. Just run it.

Those 2 should be enough to get the ball rolling. If you can post after that from the infected computer, then great! If not, put the reports on the pen drive and post them from your friend's computer.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 09 December 2008 - 09:41 PM

Tea,

I was able to log into safe mode tonight so here is the original scan you asked for, did you still want me to do the other two option that you had said to run on a pen drive?

SmitFraudFix v2.382

Scan done at 21:31:02.48, Tue 12/09/2008
Run from C:\Documents and Settings\Michelle and Adam\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Michelle and Adam


C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp


C:\Documents and Settings\Michelle and Adam\Application Data


Start Menu


C:\DOCUME~1\MICHEL~1\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\WebMediaViewer\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{61d70260-527c-44e8-bb23-2243e93808d3}"="achromatic"

[HKEY_CLASSES_ROOT\CLSID\{61d70260-527c-44e8-bb23-2243e93808d3}\InProcServer32]
@="C:\WINDOWS\system32\gtckad.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{61d70260-527c-44e8-bb23-2243e93808d3}\InProcServer32]
@="C:\WINDOWS\system32\gtckad.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[Winlogon\Userinit]
"System"=""


RK



DNS

Description: Intel® 82566DC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0F33C02B-8DCC-41CB-A945-810F6F832B10}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0F33C02B-8DCC-41CB-A945-810F6F832B10}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0F33C02B-8DCC-41CB-A945-810F6F832B10}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0F33C02B-8DCC-41CB-A945-810F6F832B10}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


Scanning for wininet.dll infection


End

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:51 PM

Posted 10 December 2008 - 08:01 AM

Hello,

Yes, please do run them. :thumbsup: If they won't run, then please run Option #2 in SmitfraudFix.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 10 December 2008 - 05:59 PM

Here's the first one: In the begining it added recovery console and did something else before it ran.

ComboFix 08-12-09.03 - Michelle and Adam 2008-12-10 17:44:40.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.788 [GMT -5:00]
Running from: c:\documents and settings\Michelle and Adam\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michelle and Adam\My Documents\My Documents.url
c:\documents and settings\Michelle and Adam\My Documents\My Music\My Music.url
c:\documents and settings\Michelle and Adam\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Michelle and Adam\My Documents\My Videos\My Video.url
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\webmediaviewer
c:\program files\webmediaviewer\browseu.exe
c:\program files\webmediaviewer\hpmom.exe
c:\program files\webmediaviewer\hpmon.exe
c:\program files\webmediaviewer\hpmun.exe
c:\program files\webmediaviewer\myc.ico
c:\program files\webmediaviewer\myd.ico
c:\program files\webmediaviewer\mym.ico
c:\program files\webmediaviewer\myp.ico
c:\program files\webmediaviewer\myv.ico
c:\program files\webmediaviewer\ot.ico
c:\program files\webmediaviewer\qttask.exe
c:\program files\webmediaviewer\qttaskm.exe
c:\program files\webmediaviewer\qttasku.exe
c:\program files\webmediaviewer\ts.ico
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 17:29 . 2008-12-10 17:29 <DIR> d--hs---- C:\found.002
2008-12-08 22:41 . 2008-12-08 22:41 <DIR> d-------- c:\program files\Trend Micro
2008-12-08 22:05 . 2008-12-08 22:05 1,376 --a------ c:\windows\system32\Status.MPF
2008-12-08 21:50 . 2008-12-08 21:50 61,224 --a------ c:\documents and settings\Michelle and Adam\GoToAssistDownloadHelper.exe
2008-12-08 21:42 . 2008-12-08 22:05 <DIR> d-------- c:\windows\system32\mclsphlr
2008-12-08 21:42 . 2008-12-08 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-12-08 21:42 . 2005-07-26 13:50 94,208 --a------ c:\windows\system32\mclsp.dll
2008-12-08 21:42 . 2005-07-26 14:47 90,112 --a------ c:\windows\system32\mcrtl32.dll
2008-12-08 21:42 . 2005-08-16 16:18 80,640 --a------ c:\windows\system32\drivers\MpFirewall.sys
2008-12-08 21:42 . 2005-04-20 18:22 32,768 --a------ c:\windows\system32\instlsp.exe
2008-12-08 21:42 . 2008-04-13 19:12 23,040 --a------ c:\windows\system32\psapi.dll
2008-12-08 21:42 . 2005-04-20 18:22 11,264 --a------ c:\windows\system32\sporder.dll
2008-12-08 21:42 . 2005-08-16 16:13 9,216 --a------ c:\windows\system32\MpfApi.dll
2008-12-08 21:41 . 2005-09-19 11:13 349,760 -ra------ c:\windows\system32\mcinsctl.dll
2008-12-08 21:41 . 2005-09-19 11:13 288,320 -ra------ c:\windows\system32\mcgdmgr.dll
2008-12-08 21:41 . 2005-08-10 11:22 114,464 --a------ c:\windows\system32\drivers\naiavf5x.sys
2008-12-08 21:21 . 2008-12-08 21:42 <DIR> d-------- c:\windows\LastGood.Tmp
2008-12-08 21:21 . 2008-12-08 21:21 50,544 --a------ c:\windows\system32\Config.MPF
2008-12-08 20:34 . 2008-12-08 20:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-08 20:34 . 2008-12-08 21:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 21:32 . 2008-12-07 21:32 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-03 19:26 . 2008-12-03 19:26 <DIR> d-------- c:\documents and settings\Michelle and Adam\Application Data\Shape games
2008-12-03 18:45 . 2008-12-03 18:45 <DIR> d-------- c:\program files\Paranormal Agency
2008-12-01 17:10 . 2008-12-01 17:10 <DIR> d-------- c:\program files\PlayFirst
2008-11-30 13:03 . 2008-11-30 13:03 <DIR> d-------- c:\program files\Hot Dish 2
2008-11-28 22:25 . 2008-11-28 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\ERS G-Studio
2008-11-23 13:15 . 2008-11-23 13:15 30 --a------ c:\documents and settings\Michelle and Adam\jagex_runescape_preferences.dat
2008-11-23 13:14 . 2008-11-23 13:14 <DIR> d-------- c:\windows\.jagex_cache_32
2008-11-23 08:16 . 2008-11-23 08:16 <DIR> d--hs---- C:\found.001
2008-11-22 14:12 . 2008-11-22 14:12 <DIR> d-------- c:\program files\iTunes
2008-11-22 14:12 . 2008-11-22 14:12 <DIR> d-------- c:\program files\iPod
2008-11-22 14:12 . 2008-11-22 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 14:10 . 2008-11-22 14:10 <DIR> d-------- c:\program files\QuickTime
2008-11-20 06:25 . 2008-11-20 06:25 <DIR> d--hs---- C:\found.000
2008-11-17 21:30 . 2008-11-19 20:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\WildTangent
2008-11-17 17:20 . 2008-11-20 06:17 <DIR> d-------- c:\program files\Top Chef Demo
2008-11-14 16:17 . 2008-11-14 16:17 <DIR> d-------- c:\program files\DNA
2008-11-13 15:45 . 2008-11-13 15:45 10 ---h----- c:\windows\popcinfo.dat
2008-11-13 15:20 . 2008-11-13 15:20 <DIR> d-------- c:\documents and settings\Michelle and Adam\Application Data\SecretIslandEng
2008-11-13 15:01 . 2008-11-13 15:02 <DIR> d-------- c:\program files\The Treasures of Mystery Island
2008-11-12 17:12 . 2008-11-12 17:12 <DIR> d-------- c:\program files\Hidden Mysteries - Buckingham Palace
2008-11-12 16:57 . 2008-11-28 15:49 <DIR> d-------- c:\program files\KinderGarten
2008-11-12 14:52 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 14:52 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 20:08 . 2008-11-10 20:08 <DIR> d-------- c:\documents and settings\Michelle and Adam\Application Data\FirstColony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 22:31 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-12-10 22:23 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-12-09 03:06 --------- d-----w c:\program files\McAfee.com
2008-12-09 03:06 --------- d-----w c:\program files\McAfee
2008-12-09 03:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-09 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-08 02:32 --------- d-----w c:\program files\Yahoo!
2008-12-08 02:32 --------- d-----w c:\program files\PollyPridePetDetective_at
2008-12-08 02:32 --------- d-----w c:\program files\MSN Messenger
2008-12-06 13:55 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\Skype
2008-12-06 13:00 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\skypePM
2008-12-06 05:34 --------- d-----w c:\documents and settings\All Users\Application Data\Sandlot Games
2008-12-06 05:33 --------- d-----w c:\program files\Yahoo! Games
2008-12-05 21:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-03 23:42 --------- d-----w c:\program files\RealArcade
2008-12-01 22:11 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\PlayFirst
2008-11-29 18:59 --------- d-----w c:\program files\Safari
2008-11-29 15:25 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\cerasus.media
2008-11-29 12:48 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-28 20:50 --------- d-----w c:\program files\Shockwave.com
2008-11-27 13:29 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\Move Networks
2008-11-26 22:17 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\Gogii Games
2008-11-26 22:17 --------- d-----w c:\documents and settings\All Users\Application Data\Gogii Games
2008-11-26 21:16 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\Valusoft
2008-11-26 21:16 --------- d-----w c:\documents and settings\All Users\Application Data\Valusoft
2008-11-23 16:41 --------- d-----w c:\program files\Oberon Media
2008-11-23 16:41 --------- d-----w c:\program files\Farm Mania
2008-11-23 16:40 --------- d-----w c:\program files\MySpace
2008-11-23 16:39 --------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2008-11-23 16:38 --------- d-----w c:\program files\Fever Frenzy
2008-11-23 16:38 --------- d-----w c:\program files\Alawar
2008-11-23 13:20 --------- d-----w c:\program files\dl_cats
2008-11-22 19:10 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 15:28 --------- d-----w c:\program files\LimeWire
2008-11-21 00:07 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2008-11-20 11:17 --------- d-----w c:\program files\iWin.com
2008-11-16 18:27 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\Gamelab
2008-11-14 21:22 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 21:21 --------- d-----w c:\documents and settings\Michelle and Adam\Application Data\MysteryStudio
2008-11-14 20:07 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2008-11-14 01:38 --------- d-----w c:\documents and settings\All Users\Application Data\AlawarWrapper
2008-11-05 03:30 --------- d-----w c:\program files\bfgclient
2008-11-03 16:06 --------- d-----w c:\documents and settings\All Users\Application Data\Redrum
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 20:44 --------- d-----w c:\documents and settings\All Users\Application Data\Alawar Stargaze
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 11:34 --------- d-----w c:\documents and settings\All Users\Application Data\FarmFrenzy2
2008-10-10 08:36 --------- d-----w c:\program files\Hells Kitchen
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-04-13 17:51 0 -c--a-w c:\program files\temp01
2007-08-07 20:18 774,144 -c--a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"AOL Fast Start"="c:\progra~1\AOL9~1.1\AOL.EXE" [2007-10-27 50528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-06-15 307200]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-06-14 286720]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-06-27 299008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 106496]
"HostManager"="c:\program files\Common Files\AOL\1198413857\ee\AOLSoftware.exe" [2007-05-25 42032]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-25 185896]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-07-12 110592]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"MPSExe"="c:\progra~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 294912]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2004-08-10 389120]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.ir32"= c:\windows\system32\ir32_32.dll
"vidc.ir31"= c:\windows\system32\ir32_32.dll
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1198413857\\ee\\aolsoftware.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

S2 E41B60881FBF82F0;E41B60881FBF82F0;\??\c:\documents and settings\Michelle and Adam\Desktop\E41B60881FBF82F0\E41B60881FBF82F0 []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-01-02 24652]
S3 DCamUSBSTK017;STK017 Camera;c:\windows\system32\DRIVERS\STK017W2.sys [2003-11-17 99476]
S3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7074460f-0626-11dd-bef7-00038a000015}]
\Shell\AutoRun\command - K:\RCAMemoryMgr.exe
\Shell\Manage your videos\command - K:\RCAMemoryMgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0d2d2e0-88e7-11dd-bf3d-00038a000015}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-12-05 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-F38148B2-Administrator).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]

2008-12-05 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-F38148B2-Margie and Ry).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]

2008-12-09 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-F38148B2-Michelle and Adam).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WarningApp - c:\program files\Adware Safebot\WarningApp.exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-avrlabs - c:\program files\avrlabs\avrlabs.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
HKLM-Run-CleanUp - c:\progra~1\McAfee.com\Shared\mcappins.exe
HKLM-Run-McRegWiz - c:\progra~1\McAfee.com\Agent\mcregwiz.exe
HKLM-Run-McafWelcome - c:\progra~1\McAfee.com\Agent\mcwelcom.exe
SharedTaskScheduler-{61d70260-527c-44e8-bb23-2243e93808d3} - c:\windows\system32\gtckad.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Search - ?p=ZRxdm429YYUS
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.3\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.4\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.5\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.6\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.7\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.8\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.9\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.10\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.11\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.12\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.13\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.14\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.15\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.16\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.17\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.18\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.19\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.20\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.21\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.22\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.23\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.24\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.25\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.26\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.27\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.28\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.29\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Hot%20Dish%202/Images/stg_drm.ocx

c:\windows\Downloaded Program Files\GoBitGamesPlayer.dll - O16 -: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429}
hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
c:\windows\Downloaded Program Files\GoBitGamesPlayer.inf

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Cooking%20Academy/Images/armhelper.ocx
FireFox -: Profile - c:\documents and settings\Michelle and Adam\Application Data\Mozilla\Firefox\Profiles\9ab8hbjx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 17:46:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\E41B60881FBF82F0]
"ImagePath"="\??\c:\documents and settings\Michelle and Adam\Desktop\E41B60881FBF82F0\E41B60881FBF82F0"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\E41B60881FBF82F0]
"ImagePath"="\??\c:\documents and settings\Michelle and Adam\Desktop\E41B60881FBF82F0\E41B60881FBF82F0"
.
Completion time: 2008-12-10 17:48:14
ComboFix-quarantined-files.txt 2008-12-10 22:47:11

Pre-Run: 212,108,804,096 bytes free
Post-Run: 212,552,138,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

363 --- E O F --- 2008-11-13 08:03:02

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:51 PM

Posted 10 December 2008 - 06:22 PM

Hi there,

Excellent that it ran. :thumbsup: Were you posting from the infected machine? Post the other reports when you're ready. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 10 December 2008 - 07:01 PM

Yes I am on the infected machine still in safe mode

Here is number 2

Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 3

12/10/2008 6:37:47 PM
mbam-log-2008-12-10 (18-37-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184884
Time elapsed: 33 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\avrlabswarning.warningbho (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\avrlabswarning.warningbho.1 (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> No action taken.
HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer add-on (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\avrlabs (Rogue.AntiVirusLab) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079537.dll (Adware.MyWeb.FunWeb) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079538.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079539.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079540.scr (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079541.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079543.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079544.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079545.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079546.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079547.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079548.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079549.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079550.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079551.SCR (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079552.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079553.DLL (Adware.MyWeb.FunWeb) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079554.EXE (Adware.MyWeb.FunWeb) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079555.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079556.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079557.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079559.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079560.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079561.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079562.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079564.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079565.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079566.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079567.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079568.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079569.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079570.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079571.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079652.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079653.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079654.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0079655.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{CBEED116-8DC6-4230-8016-429E9CD22C16}\RP526\A0080645.dll (Adware.MyWebSearch) -> No action taken.
C:\Documents and Settings\Michelle and Adam\Favorites\Run Virus Scan.url (Trojan.Zlob) -> No action taken.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:51 PM

Posted 10 December 2008 - 07:17 PM

Hi Michelle,

Did you let MBAM clean all those? They say no action taken, so if you didn't before, please do so now. :thumbsup: Have you tried to boot into Normal Mode?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 10 December 2008 - 07:22 PM

I can't find an option to remove them but I am working on it. after I figure it out I will shut down againand try logging on in normal mode. Thank you for all of your help so far hopefully this works.

#14 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 10 December 2008 - 07:53 PM

I guess it didn't save the original log.....or I can't find it so I ran a quick scan and delete what it found. I have attached that report. I tried to log in normal it it takes me to the welcome menu with the list of users and freezes can't click on anything. I am back in safe mode....curious if all the scanners and stuff I have downloaded can stay on here together or will they not work well together. I also noticed that when loggin in to safe mode after I choice safe mode with networking another menu pops up which before it just said log in to xp blah blah now there is another option of loggin into XP recovery.

Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 3

12/10/2008 7:17:26 PM
mbam-log-2008-12-10 (19-17-26).txt

Scan type: Quick Scan
Objects scanned: 62540
Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\avrlabswarning.warningbho (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\avrlabswarning.warningbho.1 (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\avrlabs (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Michelle and Adam\Favorites\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.

#15 shellyj1426

shellyj1426
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 10 December 2008 - 08:33 PM

I noticed after I posted the last long that not everything was on it since I ran a short scan trying to save time so I ran a full scan again and removed the rest of the adware. While I am waiting I will try again to log in in normal mode and see what happens.....talk to you soon.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users