Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected -- MS Juan / MS Track System


  • Please log in to reply
13 replies to this topic

#1 The Original Q

The Original Q

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 01 January 2009 - 08:57 PM

Thank you in advance for your assistance :thumbsup:. My problem is I have a lot of popups when I use the internet.

I'm not sure how I got these 2 infections, but I can't remove them. I have taken the following steps to try to fix:

1) I deleted Internet Explorer and installed Mozilla.
2) I downloaded Malware Bytes and ran it several times (both the quick and full scans). Each time it finds and removes the following but they show back up the next time I run it (sometimes back to back) it finds them again:

Malware.Trace // Registry Key // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan
Trojan.Vundo // Registry Key // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System

3) I have downloaded AVG free and run it but it does not locate or remove the problem.

Then I found this site. I've followed the steps on your site and have run DDS. I am pasting the DDS.txt log here, but the upload function will not allow me to upload the ATTACH.txt log file. I would copy and paste it into this forum, but says to not copy and paste it.


DDS (Version 1.1.0) - NTFSx86
Run by Quentin at 18:08:54.76 on Thu 01/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.606 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Quentin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.hp.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {db7bbe28-3165-1c5a-cab4-c9e55bcc8667}: {7668ccb5-5e9c-4bac-a5c1-561382ebb7bd} - c:\windows\system32\ujdqfv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ceedo AutoDetect] c:\docume~1\quentin\locals~1\temp\AutoDetect.exe /active
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [cdloader] "c:\documents and settings\quentin\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\WhlLSP.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ujdqfv.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\quentin\applic~1\mozilla\firefox\profiles\default.uuf\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\\components\jar50.dll
FF - component: c:\program files\mozilla firefox\\components\qfaservices.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\\greprefs\all.js - pref("general.useragent.contentlocale", "chrome://navigator-region/locale/region.properties");
c:\program files\mozilla firefox\\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("accessibility.typeaheadfind.soundURL", "default");
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadInBackground", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.middleclick", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.urlbar", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.windowopen", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.bookmarks", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadGroup", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadOnNewTab", 0);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.windows.loadOnNewWindow", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.close.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.open.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Location.reload.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.Components", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.block.target_new_window", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.resizable", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");
c:\program files\mozilla firefox\\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections", 24);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections-per-server", 8);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-server", 2);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-proxy", 4);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.accept.default", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.dns.ipv4OnlyDomains", ".doubleclick.net");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.standard-url.encode-utf8", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.image.warnAboutImages", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.proxy.autoconfig_url", "");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3p", "ffffaaaa");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\\greprefs\all.js - pref("ui.key.generalAccessKey", 18);
c:\program files\mozilla firefox\\greprefs\all.js - pref("bidi.clipboardtextmode", 3);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.max_script_run_time", 5);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.enable_ssl2", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_ede3_192", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_64", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_fips_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_rc4_56_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_des_cbc_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc4_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc2_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_dss_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.default_personal_cert", "Select Automatically");
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_entering_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_leaving_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_submit_insecure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.OCSP.enabled", 0);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ui.enable", true);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.manual_confirm", true);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled", true);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.skin", "chrome://mozapps/content/extensions/extensions.xul?type=themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.chrome", "chrome://mozapps/content/extensions/extensions.xul?type=extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.skin", "Extension:Manager-themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.chrome", "Extension:Manager-extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.version", "0.9");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updateVersion", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updateDescription", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updateURL", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.wsdl", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 days
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed.
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.count", 0);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("keyword.URL", "http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&sourceid=firefox&q=");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.contentlocale", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.download.manager.closeWhenDone", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.defaultenginename", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.defaulturl", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.basic.min_ver", "0.0");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.tabs.opentabfor.urlbar", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.autoload", 1); // 0 = Always, 1 = After first use, 2 = Never
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.provider", "http://www-rl.netscape.com/wtgn?");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.disabledForDomains", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.goBrowsing.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("dom.disable_open_during_load", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlers
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.cookie.enableForCurrentSessionOnly", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.throbber.url","chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("alerts.height", 50);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.datasource", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("signon.SignonFileName", "signons.txt");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_entering_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_leaving_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_submit_insecure.show_once", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-28 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-28 26824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-28 231704]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\IFXTPM.SYS [2005-10-21 36352]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\seagate\sync\SeaSyncServices.exe" []

=============== Created Last 30 ================

2009-01-01 17:38 114,688 a------- c:\windows\system32\chg.exe
2008-12-28 19:43 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-28 19:35 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-28 19:34 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-28 19:34 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-28 19:34 <DIR> --d----- c:\docume~1\quentin\applic~1\AVGTOOLBAR
2008-12-28 19:34 <DIR> --d----- c:\program files\AVG
2008-12-28 19:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-27 19:32 230 a------- c:\windows\system32\spupdsvc.inf
2008-12-27 19:29 110,717 a------- c:\windows\UninstallFirefox.exe
2008-12-27 19:28 4,502 a------- c:\windows\mozver.dat
2008-12-27 08:45 134,656 a------- c:\windows\system32\ujdqfv.dll
2008-12-27 08:45 134,656 a------- c:\windows\system32\lohicsge.dll
2008-12-27 08:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 08:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 08:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 08:37 134,656 a------- c:\windows\system32\hxgiwa.dll
2008-12-27 08:36 134,656 a------- c:\windows\system32\dgdhomdj.dll

==================== Find3M ====================

2008-12-27 10:35 99,957 a--sh--- c:\windows\system32\miyezova.dll
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:38 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-10-16 14:38 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2008-10-16 14:38 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2008-10-16 14:38 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-10-16 14:38 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2008-10-16 14:38 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-06 14:47 155,995 a------- c:\windows\java\packages\E8JRFHNR.ZIP
2008-10-06 14:47 2,232 a------- c:\windows\java\packages\data\573RBD75.DAT
2008-10-06 14:47 2,678 a------- c:\windows\java\packages\data\YF9BFJBZ.DAT
2008-10-06 14:47 2,678 a------- c:\windows\java\packages\data\WJFZHJVR.DAT
2008-10-06 14:47 2,678 a------- c:\windows\java\packages\data\3VBFB7LF.DAT
2008-10-06 14:47 2,678 a------- c:\windows\java\packages\data\3LN7ZDRB.DAT
2008-10-06 14:47 2,678 a------- c:\windows\java\packages\data\KRH3NF1F.DAT
2008-05-21 08:13 56,912 a------- c:\documents and settings\quentin\g2mdlhlpx.exe

============= FINISH: 18:09:36.34 ===============

BC AdBot (Login to Remove)

 


#2 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:02:21 PM

Posted 13 January 2009 - 04:59 PM

The Original Q,

Welcome to Bleeping Computer! You may call me Mark. I will be helping you with your malware problems.

Please read the following before we begin:
  • Please remove any P2P programs you have installed before continuing. Not doing so can cause re-infection and make it much more difficult for us both.
  • HijackThis logs and the other logs we may need require a lot of research, so please be patient with me. I know you want your PC back up and running as quick as possible, and I will do my best to achieve that for you.
  • We will be working on malware issues for this particular machine. This may or may not solve other issues with this machine.
  • The steps must be done in the exact order I give them. If you encounter a step that you do not understand, stop and ask! Don't continue. Also, the same applies if you encounter any errors. Stop there and let me know so I can work out which step needs to be taken next.
  • Please continue to review my answers until I tell you your machine is clear. Absense of symptoms does not mean everything is clear!
If you can do these things, everything should go smoothly. :thumbsup:
_______________________________________________________________________

Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

Thanks,

markamus
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#3 The Original Q

The Original Q
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 14 January 2009 - 02:24 AM

Hi,

I don't think I have any P2P software at all (I hope not, anyway -- I don't exactly know what it is).

Here's the log:

Malwarebytes' Anti-Malware 1.32
Database version: 1649
Windows 5.1.2600 Service Pack 2

1/14/2009 1:19:32 AM
mbam-log-2009-01-14 (01-19-32).txt

Scan type: Quick Scan
Objects scanned: 83763
Time elapsed: 17 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ujdqfv.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7668ccb5-5e9c-4bac-a5c1-561382ebb7bd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7668ccb5-5e9c-4bac-a5c1-561382ebb7bd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7668ccb5-5e9c-4bac-a5c1-561382ebb7bd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ujdqfv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dgdhomdj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lohicsge.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxgiwa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:02:21 PM

Posted 14 January 2009 - 12:45 PM

Very good. Next please post a fresh DDS log for me to review.
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#5 The Original Q

The Original Q
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 14 January 2009 - 10:58 PM

DDS (Version 1.1.0) - NTFSx86
Run by Quentin at 21:56:22.06 on Wed 01/14/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.560 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlCach3.exe
C:\PROGRA~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlClnt3.exe
C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Quentin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.hp.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
TB: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ceedo AutoDetect] c:\docume~1\quentin\locals~1\temp\AutoDetect.exe /active
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [cdloader] "c:\documents and settings\quentin\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\WhlLSP.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ujdqfv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\quentin\applic~1\mozilla\firefox\profiles\default.uuf\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\\components\jar50.dll
FF - component: c:\program files\mozilla firefox\\components\qfaservices.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\\greprefs\all.js - pref("general.useragent.contentlocale", "chrome://navigator-region/locale/region.properties");
c:\program files\mozilla firefox\\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("accessibility.typeaheadfind.soundURL", "default");
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadInBackground", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.middleclick", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.urlbar", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.windowopen", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.bookmarks", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadGroup", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadOnNewTab", 0);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.windows.loadOnNewWindow", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.close.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.open.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Location.reload.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.Components", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.block.target_new_window", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.resizable", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");
c:\program files\mozilla firefox\\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections", 24);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections-per-server", 8);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-server", 2);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-proxy", 4);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.accept.default", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.dns.ipv4OnlyDomains", ".doubleclick.net");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.standard-url.encode-utf8", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.image.warnAboutImages", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.proxy.autoconfig_url", "");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3p", "ffffaaaa");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\\greprefs\all.js - pref("ui.key.generalAccessKey", 18);
c:\program files\mozilla firefox\\greprefs\all.js - pref("bidi.clipboardtextmode", 3);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.max_script_run_time", 5);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.enable_ssl2", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_ede3_192", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_64", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_fips_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_rc4_56_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_des_cbc_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc4_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc2_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_dss_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.default_personal_cert", "Select Automatically");
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_entering_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_leaving_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_submit_insecure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.OCSP.enabled", 0);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ui.enable", true);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.manual_confirm", true);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled", true);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);
c:\program files\mozilla firefox\\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.skin", "chrome://mozapps/content/extensions/extensions.xul?type=themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.chrome", "chrome://mozapps/content/extensions/extensions.xul?type=extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.skin", "Extension:Manager-themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.chrome", "Extension:Manager-extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.version", "0.9");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updateVersion", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updateDescription", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.app.updateURL", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.wsdl", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 days
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed.
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.extensions.count", 0);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("keyword.URL", "http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&sourceid=firefox&q=");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.contentlocale", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.download.manager.closeWhenDone", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.defaultenginename", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.defaulturl", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.basic.min_ver", "0.0");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.tabs.opentabfor.urlbar", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.autoload", 1); // 0 = Always, 1 = After first use, 2 = Never
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.provider", "http://www-rl.netscape.com/wtgn?");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.disabledForDomains", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.goBrowsing.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("dom.disable_open_during_load", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlers
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.cookie.enableForCurrentSessionOnly", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.throbber.url","chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("alerts.height", 50);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.datasource", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("signon.SignonFileName", "signons.txt");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_entering_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_leaving_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_submit_insecure.show_once", true);

============= SERVICES / DRIVERS ===============

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\IFXTPM.SYS [2005-10-21 36352]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\seagate\sync\SeaSyncServices.exe" []

=============== Created Last 30 ================

2009-01-11 14:24 118,272 a----r-- c:\windows\system32\hpvqclm02.dll
2009-01-02 12:44 <DIR> --d----- C:\bin
2009-01-02 12:41 <DIR> --d----- c:\program files\common files\HP
2009-01-02 12:34 117,118 a------- c:\windows\hpoins11.dat
2009-01-02 08:23 <DIR> --d----- c:\windows\pss
2009-01-02 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-01 15:14 4,003,401 a------- c:\windows\pfirewall.log.old
2008-12-27 19:32 230 a------- c:\windows\system32\spupdsvc.inf
2008-12-27 19:29 110,717 a------- c:\windows\UninstallFirefox.exe
2008-12-27 19:28 4,502 a------- c:\windows\mozver.dat
2008-12-27 08:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 08:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 08:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2008-12-27 10:35 99,957 a--sh--- c:\windows\system32\miyezova.dll
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-05-21 08:13 56,912 a------- c:\documents and settings\quentin\g2mdlhlpx.exe

============= FINISH: 21:56:53.93 ===============

#6 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:02:21 PM

Posted 15 January 2009 - 02:17 PM

Download the Killbox.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
c:\windows\system32\miyezova.dll
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

Please download HJT Installer from Here to your desktop.Double click on the HJTInstall.exe.
at the next window Select Install.
It will be installed by default here: C:\Program Files\Trend Micro\HijackThis.
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
Select "Do a system scan and save logfile"
It will open in Notepad. save it to your Desktop
Open the Hijackthis log you saved to your desktop and copy and paste the results as a reply to this thread.
Use the Hijackthis shortcut to run future scans.
Thanks,

markamus
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#7 The Original Q

The Original Q
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 15 January 2009 - 09:49 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:35 PM, on 1/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: hp548202.ks.cox.net HP0017A4548202
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O3 - Toolbar: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ceedo AutoDetect] C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe /active
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Quentin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2D360201-FFF5-11D1-8D03-00A0C959BC0A} (DHTML Edit Control Safe for Scripting for IE5) - https://kmanywhere.kohls.com/whalecom43adfe...om0/DHTMLED.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://kranywhere.kohls.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O20 - AppInit_DLLs: ujdqfv.dll
O23 - Service: Access Utility Service - Unknown owner - F:\Programs\Sprint Broadband\SMBAUtilSvc.exe (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)

--
End of file - 9051 bytes

#8 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:02:21 PM

Posted 15 January 2009 - 10:34 PM

Open HJT by navigating to your HijackThis folder and double clicking on HijackThis.exe. Select the second button entitled "Do a system scan only".
Now select the followng entries by placing a tick in the left hand check box


O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com

O20 - AppInit_DLLs: ujdqfv.dll


Once you have selected all entries, close all running programs then click once on the "fix checked" button to clear the entries from your log.
----------------------------------------------------------------------------------------------

Run an online virus scan called Kaspersky from HERE.1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well

In your next reply, please include the following:
  • The Kaspersky Online scan log
  • A fresh HijackThis log
  • An update on how the PC is running
Thanks,

markamus
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#9 The Original Q

The Original Q
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 16 January 2009 - 02:29 AM

My computer seems to be running the right way now, however, Kaspersky found 3 threats. The Kapersky log and the Hijack this log are both pasted below.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 16, 2009 03:27:41
Records in database: 1628921
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 87678
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:07:19


File name / Threat name / Threats count
C:\Documents and Settings\Quentin\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-7b8d2bfd Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Quentin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-4323391f.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Quentin\Local Settings\Temporary Internet Files\Content.IE5\8NYQW5XP\index[2].htm Infected: Trojan-Downloader.JS.Tabletka.a 1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:32 AM, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlCach3.exe
C:\PROGRA~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlClnt3.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: hp548202.ks.cox.net HP0017A4548202
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O3 - Toolbar: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ceedo AutoDetect] C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe /active
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Quentin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2D360201-FFF5-11D1-8D03-00A0C959BC0A} (DHTML Edit Control Safe for Scripting for IE5) - https://kmanywhere.kohls.com/whalecom43adfe...om0/DHTMLED.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://kranywhere.kohls.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O23 - Service: Access Utility Service - Unknown owner - F:\Programs\Sprint Broadband\SMBAUtilSvc.exe (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)

--
End of file - 9006 bytes

#10 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:02:21 PM

Posted 16 January 2009 - 09:30 AM

Clear your Java cache
  • Close your Internet browser application.
  • Click Start > Control Panel > Java
  • Under General > Temporary Internet Files, click the Settings button. On the next window, press the Delete Files button. The Delete Temporary Files dialog box will appear. Check both options and click Ok.
  • Click Ok on the Java Control Panel.
Note: If you are using Firefox as your internet browser, your PrivateData must also be cleared. After clearing the Java cache, open your Firefox browser then go to Tools > Clear Private Data. Uncheck all items except for Cache, then click the Clear Private Data Now button. Close your browser then restart it again.
-------------------------------------

Please download a free version of CCleaner from here.


To install:
  • Select a language.
  • Click Next.
  • Click I Agree.
  • Select your Destination Folder and click Next. The default is set to C:\Program Files\CCleaner. This is OK to use, unless you would prefer it installed to another permanent folder.
  • Choose your Install Options.
  • Click Install.
  • Click Finish when prompted.

To run:
  • Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Then select the items you wish to clean up. (See note below)
In the Windows Tab:
  • Clean all entries in the "Internet Explorer". If you prefer to keep your cookies, uncheck the Cookies entry. Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
  • Then click the "Run Cleaner" button and it will scan and clean your system.
  • Click exit.
----------------------------------------------------------------------------------------------

Next, please post back with a fresh Kaspersky Online scan.

Thanks,

Mark
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#11 The Original Q

The Original Q
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 17 January 2009 - 12:02 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 17, 2009 00:48:09
Records in database: 1633474
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 66470
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:48:07

No malware has been detected. The scan area is clean.

The selected area was scanned.

#12 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:02:21 PM

Posted 19 January 2009 - 10:38 AM

Very good.

In your next reply, please include the following:
  • A fresh HijackThis log
  • An update on how the PC is running
Thanks,

mark
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill

#13 The Original Q

The Original Q
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 21 January 2009 - 12:02 AM

Computer seems to be running fine.

When this is all done, should I keep Hijack this and the other things you had me install?

Can you recommend a good free antivirus program to help prevent this problem in the future?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:45 PM, on 1/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.usaa.com/inet/ent_logon/Logon
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: hp548202.ks.cox.net HP0017A4548202
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O3 - Toolbar: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ceedo AutoDetect] C:\DOCUME~1\Quentin\LOCALS~1\Temp\AutoDetect.exe /active
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Quentin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2D360201-FFF5-11D1-8D03-00A0C959BC0A} (DHTML Edit Control Safe for Scripting for IE5) - https://kmanywhere.kohls.com/whalecom43adfe...om0/DHTMLED.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://kranywhere.kohls.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O23 - Service: Access Utility Service - Unknown owner - F:\Programs\Sprint Broadband\SMBAUtilSvc.exe (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Unknown owner - C:\Program Files\Seagate\Sync\SeaSyncServices.exe (file missing)

--
End of file - 9002 bytes

#14 markamus

markamus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:02:21 PM

Posted 21 January 2009 - 11:51 AM

Hang on to the tools for the time being, we will delete them in closing.

One last thing I would like to check before we are done.

Show your hidden files
To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon (or click Start, then select My Computer)
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files. You will reverse this process when your system is clean.
----------------------------------------------------------------------------------------------

Go to VirusTotal.Press the Browse button to navigate to and select the following file:C:\DOCUMENTS AND SETTINGS\Quentin\LOCAL SETTINGS\Temp\AutoDetect.exe
Press Open to select it.
Press the Send File button on the webpage to submit the file.
When the file is done scanning, copy and paste the results here for me to review.
[/list]Thanks,

Mark
Posted Image
Posted Image

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty. - Winston Churchill




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users