Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob infection - need help!


  • Please log in to reply
10 replies to this topic

#1 BaTTy55

BaTTy55

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 25 February 2009 - 11:35 PM

i dont know what happend but when i serched something on google it was hijacked and i got the messege
" you computer was hijacked by dangerous virus!" yes with the mistake anyway
i ran PC Tools internet security and it cleard the infection but.. i still get the hijack and it still promps me to
download some rouge anti virus but i dont download it. this is not realy a threat becuse im now useing FireFox
but when i try adn open up "ANY" folder i get a "WARNING VIRUS DETECTED" error and it says i should buy there software
in the hope that i will fall for there scam.. it dosent matter what i click on the error I CANT VEIW ANY OF MY FOLDERS

i have sent i pic of the hijack atempt

DDS crashes and freezes my desktop until i shut off my computer
all i have is hijack this.. hope thats ok.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:50 PM, on 25/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WSFINALACLSERVICE.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\UviMFk.exe
C:\WINDOWS\system32\shortcuttz.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.scansoft.com/GetUpdates.asp?...07FF9DCF0A869AC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.40.26.1:8080
O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com
O1 - Hosts: 70.38.73.25 secure.extrabilling.com
O1 - Hosts: 70.38.73.25 updateyourprotection.com

O1 - Hosts: 70.38.73.25 www.updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.woodpckr-a2.com
O1 - Hosts: 70.38.73.25 woodpckr-a2.com
O1 - Hosts: 70.38.73.25 www.fastupdateserver.com
O1 - Hosts: 70.38.73.25 fastupdateserver.com
O1 - Hosts: 70.38.73.25 www.antivirusa2.com
O1 - Hosts: 70.38.73.25 antivirusa2.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O2 - BHO: LmIE.BHO - {2D28EBA6-4EC0-45F1-AF6E-A8E174AA7E83} - C:\WINDOWS\system32\gjgsys.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [Sysinfo] C:\windows\Bginfo.exe /i:c:\windows\desktop.bgi /timer:0
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\LinQ\MonitorService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [WordQ carat flag] T:\Program Files\WordQ2\WordQcrs.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UviMFk] C:\WINDOWS\system32\UviMFk.exe
O4 - HKLM\..\Run: [shortcuttz] C:\WINDOWS\system32\shortcuttz.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cognac] T:\Profiles\Taylor\LOCALS~1\Temp\~tmpc.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\WINDOWS\TEMP\3.tmp.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: delrunedll32.vbs (User 'Default user')
O4 - .DEFAULT User Startup: delrusnedll32.vbs (User 'Default user')
O4 - Global Startup: WordQCRS.lnk = T:\Program Files\WordQ2\WordQcrs.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.classroom.yrdsb.edu.on.ca
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150324889609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168367999925
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\Software\..\Telephony: DomainName = LEARNING.YRDSB.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\LinQ\MonitorService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
O23 - Service: VC WS CHANGEACL Service (wsfinalaclservice) - cpsi - C:\WINDOWS\system32\WSFINALACLSERVICE.exe
O24 - Desktop Component 0: (no name) - http://i73.photobucket.com/albums/i218/lip...leset_test1.png

--
End of file - 10860 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 BaTTy55

BaTTy55
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 26 February 2009 - 06:00 PM

a while later the comuter would not even boot up, system restore is disabled... and it silently installed VirusHeat
i rebooted in safe mode and ran a scan on PC tools internet sciurity and it found a infected BHO it then deleted it
"gyidgs.dll" now my computer is working fine as far is i no is there anything else i should worry about? heres a new
hijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:05 PM, on 26/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WSFINALACLSERVICE.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\UviMFk.exe
C:\WINDOWS\system32\shortcuttz.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\firefox.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.scansoft.com/GetUpdates.asp?...07FF9DCF0A869AC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.40.26.1:8080
O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com
O1 - Hosts: 70.38.73.25 secure.extrabilling.com
O1 - Hosts: 70.38.73.25 updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.woodpckr-a2.com
O1 - Hosts: 70.38.73.25 woodpckr-a2.com
O1 - Hosts: 70.38.73.25 www.fastupdateserver.com
O1 - Hosts: 70.38.73.25 fastupdateserver.com
O1 - Hosts: 70.38.73.25 www.antivirusa2.com
O1 - Hosts: 70.38.73.25 antivirusa2.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [Sysinfo] C:\windows\Bginfo.exe /i:c:\windows\desktop.bgi /timer:0
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\LinQ\MonitorService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [WordQ carat flag] T:\Program Files\WordQ2\WordQcrs.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UviMFk] C:\WINDOWS\system32\UviMFk.exe
O4 - HKLM\..\Run: [shortcuttz] C:\WINDOWS\system32\shortcuttz.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: delrunedll32.vbs (User 'Default user')
O4 - .DEFAULT User Startup: delrusnedll32.vbs (User 'Default user')
O4 - Global Startup: WordQCRS.lnk = T:\Program Files\WordQ2\WordQcrs.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.classroom.yrdsb.edu.on.ca
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150324889609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168367999925
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\Software\..\Telephony: DomainName = LEARNING.YRDSB.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\LinQ\MonitorService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
O23 - Service: VC WS CHANGEACL Service (wsfinalaclservice) - cpsi - C:\WINDOWS\system32\WSFINALACLSERVICE.exe
O24 - Desktop Component 0: (no name) - http://i73.photobucket.com/albums/i218/lip...leset_test1.png

--
End of file - 10230 bytes
!
wait, im no expert but i can tell when there is something seriosly wrong with the log
whats the "O1 - Hosts" thing, they all look very ... "virus like" when i view them on firefox
i get a fake 404 error... , well there looks like theres still i problem..

#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:11 PM

Posted 06 March 2009 - 05:06 PM

hi BaTTy55,


Sorry for delay, no shortage of posters. Yes you still have malware. This looks like a workplace machine. Malware can spread via networked computers. If you have a IT dept. or person you should tell them. Its not your network and probably not your machine. If you still need help we will start with this:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
*A restart may be required to finish the clean up process*
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply and a new hjt log.

How Can I Reduce My Risk to Malware?


#4 BaTTy55

BaTTy55
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 09 March 2009 - 03:30 PM

ok that got some stuff heres ur logs



Malwarebytes' Anti-Malware 1.34
Database version: 1828
Windows 5.1.2600 Service Pack 2

09/03/2009 4:26:09 PM
mbam-log-2009-03-09 (16-26-09).txt

Scan type: Full Scan (C:\|T:\|)
Objects scanned: 189686
Time elapsed: 32 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\lkknsbn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lkknsbn.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whatwedo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whatwedo.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e89b621-a273-4318-88d3-ba90c271a29a} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{59d60866-798e-4301-83e1-63e4379b25c3} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b32e258a-8ade-4dad-92f9-476a81824d6f} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ceafb1da-70bb-4fc5-ae6c-f64149454288} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{46cfec0b-ca28-4c82-bd91-ef9c6ae197b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46cfec0b-ca28-4c82-bd91-ef9c6ae197b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AV1 (Rogue.AntiVirus1) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WAV (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
T:\Profiles\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
T:\Profiles\All Users\Application Data\AV2010 (Rogue.AV2010) -> Quarantined and deleted successfully.
T:\Profiles\All Users\Application Data\AV1 (Rogue.AntiVirus1) -> Quarantined and deleted successfully.

Files Infected:
T:\Profiles\All Users\Application Data\AV1\AV1i.exe (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
C:\Program Files\WAV\WAV.ooo (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\WAV\WAV1.dat (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
T:\Profiles\All Users\Application Data\AV2010\AV2010.exe (Rogue.AV2010) -> Quarantined and deleted successfully.
T:\Profiles\All Users\Application Data\AV2010\IEDefender.dll (Rogue.AV2010) -> Quarantined and deleted successfully.
T:\Profiles\All Users\Application Data\AV2010\svchost.exe (Rogue.AV2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sf.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m3.ico (Malware.Trace) -> Quarantined and deleted successfully.
T:\Profiles\All Users\Application Data\SysLoader.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\ios.dat (Malware.Trace) -> Quarantined and deleted successfully.
T:\Profiles\student2\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:22 PM, on 09/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WSFINALACLSERVICE.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\UviMFk.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.scansoft.com/GetUpdates.asp?...07FF9DCF0A869AC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.40.26.1:8080
O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com
O1 - Hosts: 70.38.73.25 secure.extrabilling.com
O1 - Hosts: 70.38.73.25 updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.woodpckr-a2.com
O1 - Hosts: 70.38.73.25 woodpckr-a2.com
O1 - Hosts: 70.38.73.25 www.fastupdateserver.com
O1 - Hosts: 70.38.73.25 fastupdateserver.com
O1 - Hosts: 70.38.73.25 www.antivirusa2.com
O1 - Hosts: 70.38.73.25 antivirusa2.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [Sysinfo] C:\windows\Bginfo.exe /i:c:\windows\desktop.bgi /timer:0
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\LinQ\MonitorService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [WordQ carat flag] T:\Program Files\WordQ2\WordQcrs.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UviMFk] C:\WINDOWS\system32\UviMFk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [startup] C:\Program Fi
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: delrunedll32.vbs (User 'Default user')
O4 - .DEFAULT User Startup: delrusnedll32.vbs (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.classroom.yrdsb.edu.on.ca
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150324889609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168367999925
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\Software\..\Telephony: DomainName = LEARNING.YRDSB.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = LEARNING.YRDSB.NET
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\LinQ\MonitorService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
O23 - Service: VC WS CHANGEACL Service (wsfinalaclservice) - cpsi - C:\WINDOWS\system32\WSFINALACLSERVICE.exe
O24 - Desktop Component 0: (no name) - http://i73.photobucket.com/albums/i218/lip...leset_test1.png

--
End of file - 9857 bytes

#5 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:11 PM

Posted 09 March 2009 - 08:18 PM

hi BaTTy55,

ok thanks for the info. We will use hjt.

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com
O1 - Hosts: 70.38.73.25 secure.extrabilling.com
O1 - Hosts: 70.38.73.25 updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.woodpckr-a2.com
O1 - Hosts: 70.38.73.25 woodpckr-a2.com
O1 - Hosts: 70.38.73.25 www.fastupdateserver.com
O1 - Hosts: 70.38.73.25 fastupdateserver.com
O1 - Hosts: 70.38.73.25 www.antivirusa2.com
O1 - Hosts: 70.38.73.25 antivirusa2.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com

We will leave these since they could have been put in place by a admin:

O4 - .DEFAULT User Startup: delrunedll32.vbs (User 'Default user')
O4 - .DEFAULT User Startup: delrusnedll32.vbs (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

See if you can locate this file on your computer:
UviMFk.exe
located here:
C:\WINDOWS\system32\

if so go to the website below, browse for the file and click the send button. You can post the results in your reply.

http://www.virustotal.com/

How Can I Reduce My Risk to Malware?


#6 BaTTy55

BaTTy55
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 09 March 2009 - 09:52 PM

hey there

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com
O1 - Hosts: 70.38.73.25 secure.extrabilling.com
O1 - Hosts: 70.38.73.25 updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.woodpckr-a2.com
O1 - Hosts: 70.38.73.25 woodpckr-a2.com
O1 - Hosts: 70.38.73.25 www.fastupdateserver.com
O1 - Hosts: 70.38.73.25 fastupdateserver.com
O1 - Hosts: 70.38.73.25 www.antivirusa2.com
O1 - Hosts: 70.38.73.25 antivirusa2.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com


i just wanted to ask why are theese in the log and what do they do..


We will leave these since they could have been put in place by a admin:

O4 - .DEFAULT User Startup: delrunedll32.vbs (User 'Default user')
O4 - .DEFAULT User Startup: delrusnedll32.vbs (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


the 2 vbs files are clean the reg value not so shure.. maybe the admin placed it there

See if you can locate this file on your computer:
UviMFk.exe
located here:
C:\WINDOWS\system32\


this is not anything bad

what now?

#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:11 PM

Posted 10 March 2009 - 08:16 PM

hi BaTTy55

looks like MBAM removed a load of malware.

all these are entries in your host file:
O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com

if you tried to go to one of those .com in the list for whatever reason you would end up at 70.38.73.25 which is this:
http://70.38.73.25/

Malware can edit and use a host file, users can also have custom host files.


Iam thinking the .vbs is some script that runs when the computer boots up. A admin could have added this. Same with the IE restricitons.

Check MBAM for any updates and run it once more.

How Can I Reduce My Risk to Malware?


#8 BaTTy55

BaTTy55
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 11 March 2009 - 05:01 PM

ok.. malwarebytes is not finding anything after being updated


all these are entries in your host file:
O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com

if you tried to go to one of those .com in the list for whatever reason you would end up at 70.38.73.25 which is this:
http://70.38.73.25/



yes that website displays a 404 page that is fake..

exploit site??

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


this is not placed by an admin and when i look in there theres no value..

all internet restrictions are done by LAN


i am sometimes send here randomly
hxxp://loyaltube.com/tube/?id=110&title=Just+SEE+IT

witch displays text saying "just see it!"
and a fake activeX object warrning trying to get me to install zlob...

this is only when i use IE 6

#9 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:11 PM

Posted 11 March 2009 - 05:11 PM

you can use hjt to fix the entries if you havent already.


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

all the 01 hosts items and this one:

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


For IE you can:

start>settings>Control Panel> click the Internet options icon

Next:

Click on Delete Cookies.

Click on Delete Files, Make sure Delete all offline content is checked and then click on OK


Then click on Settings, then click on View Files if there is any thing in there, delete what you can
(edit>select all--- then file>delete)

under the advanced tab, click on 'reset Internet Explorer settings'
Updating to IE 7.0 woudnt hurt anything.

How Can I Reduce My Risk to Malware?


#10 BaTTy55

BaTTy55
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 12 March 2009 - 04:16 PM

did everything u asked me to

my computer is acting fine .. is there anything else i should do or am i good

Edited by BaTTy55, 12 March 2009 - 04:17 PM.


#11 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:11 PM

Posted 12 March 2009 - 08:08 PM

hi BaTTy55,

ok good. keep Malwarebytes and always check for updates before scanning with it. Its good practice to get in the habit of updating it even if dont scan your computer a lot. If all is good on your end I leave you with some tips for reducing your risk to malware:


Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS,(Windows) browser (IE, FireFox) and other Software up to date to "patch" possible vulnerabilities that could be exploited.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and know the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users