Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

random named batch files and .exe's that keep coming back


  • This topic is locked This topic is locked
8 replies to this topic

#1 neelhow

neelhow

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 16 April 2009 - 01:34 PM

I work at a local computer shop and am familar with removing viruses but this one keeps coming back. Every time I believe I have it gone it comes back. I have run malwarebytes, nod32, Comboxfix, Hijackthis. None of these programs seems the find the root of the problem they all point to were I might continue looking but do not resolve the problem. The problem is on the root there a randomly named batch and exe files that I can shift delete. I restart the computer and it runs fine for about ten mins. I have the task manager open and then the randomly named exe's start to show up. Then I go look in the root and there they are again. Combo fix pointed to this in the reg
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Msn"="c:\OxOr.exe" [2009-04-14 245248]
"MsnHost"="c:\OxOr.exe" [2009-04-14 245248]
"MsnLoad"="c:\OxOr.exe" [2009-04-14 245248]
So I checked it out deleted them and restarted again. Once again about ten mins into the computer running everthing is back again only with different names. Even in the reg entry. There are two batch files the contents of one appears to shut off the firewall and then try to run one of the randomly named exes. The other points to what appears to be a randomly generated website a long string of numbers and letters .cn every 15 mins. Sorry if I jumped ahead by running all the above but I usually can remove these with no problems but this one has got me.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Owner at 14:02:36.43 on Thu 04/16/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.647 [GMT -4:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
K:\virus tools\ProcessExplorer\procexp.exe
c:\dRr.exe
c:\dRr.exe
c:\dRr.exe
K:\virus tools\Hijackthis\jackThis.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mWindow Title = NetLine America, Inc.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dExplorerRun: [Msn] c:\dRr.exe
dExplorerRun: [MsnHost] c:\dRr.exe
dExplorerRun: [MsnLoad] c:\dRr.exe
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 Windows Action Script;Windows Action Script;"c:\windows\system32\scvhost.exe" --> c:\windows\system32\scvhost.exe [?]

=============== Created Last 30 ================

2009-04-16 13:30 245,248 a------- C:\dRr.exe
2009-04-16 13:30 8,150 a------- C:\RTV6CC.bat
2009-04-16 13:30 178 a------- C:\w1qT.bat
2009-04-16 11:28 <DIR> --d----- C:\boFix
2009-04-16 09:38 <DIR> --d----- c:\program files\FileASSASSIN
2009-04-15 10:37 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-04-15 10:37 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-15 10:37 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-04-15 10:37 9,600 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-28 22:38 4,096 a------- c:\windows\d3dx.dat
2008-07-15 12:44 70,048 a------- c:\docume~1\compaq~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 14:03:00.29 ===============

Attached Files


Edited by neelhow, 16 April 2009 - 01:37 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:22 AM

Posted 16 April 2009 - 06:46 PM

Hi neelhow,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    cmd /c dir /o:d /a "C:\" > "%userprofile%\desktop\log1.txt"
    cmd /c dir /a /s C:\WINDOWS\tasks >> "%userprofile%\desktop\log1.txt"


    A log1.txt file will be created on your desktop. Please post the content to your reply.

  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.

Edited by farbar, 16 April 2009 - 06:47 PM.


#3 neelhow

neelhow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 April 2009 - 12:04 PM

Here are the logs you requested. Sorry for the delay. The dRr.exe in the HJT is one of the random files that showed up.

Volume in drive C is PRESARIO
Volume Serial Number is 50D4-DE6D

Directory of C:\

08/04/2004 08:00 AM 47,564 NTDETECT.COM
08/04/2004 08:00 AM 250,032 ntldr
08/04/2004 08:00 AM 260,272 cmldr
08/11/2004 09:17 PM 0 MSDOS.SYS
08/11/2004 09:17 PM 0 IO.SYS
08/11/2004 09:17 PM 0 AUTOEXEC.BAT
08/11/2004 09:17 PM 0 CONFIG.SYS
08/11/2004 10:23 PM <DIR> system.sav
08/12/2004 01:11 AM <DIR> Intel
12/18/2004 03:10 PM 196 BOOTNXX.BAK
12/18/2004 03:11 PM 213 BOOT.BAK
12/18/2004 03:11 PM <DIR> sysprep
12/18/2004 09:36 PM <DIR> cmdcons
12/19/2004 12:52 PM <DIR> hp
12/23/2004 06:13 PM 2,534 CHANNEL.LOG
01/01/2005 08:09 PM <DIR> Disney Interactive
02/15/2005 06:06 PM <DIR> KA
02/28/2005 07:04 PM 351 IPH.PH
03/06/2005 11:51 PM 23,823 CallRec.txt
06/05/2005 04:44 PM 182 drwtsn32.log
06/23/2005 07:04 PM <DIR> Python22
03/25/2006 09:28 PM 10,026 devicetable.log
04/20/2006 07:45 PM <DIR> SIERRA
11/22/2006 03:01 AM <DIR> bb9be17323f3d7e3b68ff91b
12/27/2006 11:27 PM 150 YServer.txt
02/03/2007 10:40 PM 1,150,976 Full Gospel Baptist Church.QBW
10/04/2007 06:40 AM 710,656 FGBC Building Fund.QBW
11/20/2007 02:16 PM 653,312 Adrian Full Gospel Baptist Church.QBW
06/04/2008 11:08 AM <DIR> My Music
06/21/2008 11:04 PM 28,482 CybDefInstallInfo.log
11/24/2008 08:21 PM 41,454 logfile
11/25/2008 06:32 PM <DIR> INET
11/25/2008 06:36 PM 4,255,744 Dana Leigh's Diner.QBW
01/02/2009 10:59 PM <DIR> Config.Msi
04/15/2009 10:36 AM 281 boot.ini
04/16/2009 09:38 AM <DIR> Program Files
04/16/2009 11:28 AM <DIR> System Volume Information
04/16/2009 11:33 AM 15,938 ComboFix.txt
04/16/2009 11:34 AM <DIR> QooBox
04/16/2009 11:34 AM <DIR> boFix
04/16/2009 11:36 AM <DIR> RECYCLER
04/16/2009 11:42 AM <DIR> Documents and Settings
04/16/2009 01:16 PM 390,070,272 pagefile.sys
04/16/2009 01:16 PM 1,333,121,024 hiberfil.sys
04/16/2009 01:30 PM 178 w1qT.bat
04/16/2009 01:30 PM 48 azq2bu.txt
04/16/2009 01:30 PM 8,150 RTV6CC.bat
04/16/2009 01:30 PM 245,248 dRr.exe
04/16/2009 06:55 PM <DIR> WINDOWS
04/17/2009 12:56 PM 0 Documents
30 File(s) 1,730,897,106 bytes
20 Dir(s) 63,178,862,592 bytes free
Volume in drive C is PRESARIO
Volume Serial Number is 50D4-DE6D

Directory of C:\WINDOWS\tasks

04/16/2009 01:30 PM <DIR> .
04/16/2009 01:30 PM <DIR> ..
04/17/2009 11:12 AM 284 AppleSoftwareUpdate.job
04/17/2009 12:00 AM 386 At1.job
04/17/2009 02:15 AM 386 At10.job
04/17/2009 02:30 AM 386 At11.job
04/17/2009 02:45 AM 386 At12.job
04/17/2009 03:00 AM 386 At13.job
04/17/2009 03:15 AM 386 At14.job
04/17/2009 03:30 AM 386 At15.job
04/17/2009 03:45 AM 386 At16.job
04/17/2009 04:00 AM 386 At17.job
04/17/2009 04:15 AM 386 At18.job
04/17/2009 04:30 AM 386 At19.job
04/17/2009 12:15 AM 386 At2.job
04/17/2009 04:45 AM 386 At20.job
04/17/2009 05:00 AM 386 At21.job
04/17/2009 05:15 AM 386 At22.job
04/17/2009 05:30 AM 386 At23.job
04/17/2009 05:45 AM 386 At24.job
04/17/2009 06:00 AM 386 At25.job
04/17/2009 06:15 AM 386 At26.job
04/17/2009 06:30 AM 386 At27.job
04/17/2009 06:45 AM 386 At28.job
04/17/2009 07:00 AM 386 At29.job
04/17/2009 12:30 AM 386 At3.job
04/17/2009 07:15 AM 386 At30.job
04/17/2009 07:30 AM 386 At31.job
04/17/2009 07:45 AM 386 At32.job
04/17/2009 08:00 AM 386 At33.job
04/17/2009 08:15 AM 386 At34.job
04/17/2009 08:30 AM 386 At35.job
04/17/2009 08:45 AM 386 At36.job
04/17/2009 09:00 AM 386 At37.job
04/17/2009 09:15 AM 386 At38.job
04/17/2009 09:30 AM 386 At39.job
04/17/2009 12:45 AM 386 At4.job
04/17/2009 09:45 AM 386 At40.job
04/17/2009 10:00 AM 386 At41.job
04/17/2009 10:15 AM 386 At42.job
04/17/2009 10:30 AM 386 At43.job
04/17/2009 10:45 AM 386 At44.job
04/17/2009 11:00 AM 386 At45.job
04/17/2009 11:15 AM 386 At46.job
04/17/2009 11:30 AM 386 At47.job
04/17/2009 11:45 AM 386 At48.job
04/17/2009 12:00 PM 386 At49.job
04/17/2009 01:00 AM 386 At5.job
04/17/2009 12:15 PM 386 At50.job
04/17/2009 12:30 PM 386 At51.job
04/17/2009 12:45 PM 386 At52.job
04/16/2009 01:30 PM 386 At53.job
04/16/2009 01:30 PM 386 At54.job
04/16/2009 01:30 PM 386 At55.job
04/16/2009 01:45 PM 386 At56.job
04/16/2009 02:00 PM 386 At57.job
04/16/2009 02:15 PM 386 At58.job
04/16/2009 02:30 PM 386 At59.job
04/17/2009 01:15 AM 386 At6.job
04/16/2009 02:45 PM 386 At60.job
04/16/2009 03:00 PM 386 At61.job
04/16/2009 03:15 PM 386 At62.job
04/16/2009 03:30 PM 386 At63.job
04/16/2009 03:45 PM 386 At64.job
04/16/2009 04:00 PM 386 At65.job
04/16/2009 04:15 PM 386 At66.job
04/16/2009 04:30 PM 386 At67.job
04/16/2009 04:45 PM 386 At68.job
04/16/2009 05:00 PM 386 At69.job
04/17/2009 01:30 AM 386 At7.job
04/16/2009 05:15 PM 386 At70.job
04/16/2009 05:30 PM 386 At71.job
04/16/2009 05:45 PM 386 At72.job
04/16/2009 06:00 PM 386 At73.job
04/16/2009 06:15 PM 386 At74.job
04/16/2009 06:30 PM 386 At75.job
04/16/2009 06:45 PM 386 At76.job
04/16/2009 07:00 PM 386 At77.job
04/16/2009 07:15 PM 386 At78.job
04/16/2009 07:30 PM 386 At79.job
04/17/2009 01:45 AM 386 At8.job
04/16/2009 07:45 PM 386 At80.job
04/16/2009 08:00 PM 386 At81.job
04/16/2009 08:15 PM 386 At82.job
04/16/2009 08:30 PM 386 At83.job
04/16/2009 08:45 PM 386 At84.job
04/16/2009 09:00 PM 386 At85.job
04/16/2009 09:15 PM 386 At86.job
04/16/2009 09:30 PM 386 At87.job
04/16/2009 09:45 PM 386 At88.job
04/16/2009 10:00 PM 386 At89.job
04/17/2009 02:00 AM 386 At9.job
04/16/2009 10:15 PM 386 At90.job
04/16/2009 10:30 PM 386 At91.job
04/16/2009 10:45 PM 386 At92.job
04/16/2009 11:00 PM 386 At93.job
04/16/2009 11:15 PM 386 At94.job
04/16/2009 11:30 PM 386 At95.job
04/16/2009 11:45 PM 386 At96.job
08/04/2004 03:00 PM 65 desktop.ini
04/17/2009 01:45 AM 330 MP Scheduled Scan.job
03/30/2009 08:00 PM 636 Norton Internet Security - Run Full System Scan - Compaq_Owner.job
04/16/2009 01:16 PM 6 SA.DAT
101 File(s) 38,377 bytes

Total Files Listed:
101 File(s) 38,377 bytes
2 Dir(s) 63,178,862,592 bytes free

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:52 PM, on 4/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\dRr.exe
c:\dRr.exe
c:\dRr.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
K:\pin drive\virus tools\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\dRr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\dRr.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\dRr.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 5871 bytes

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:22 AM

Posted 17 April 2009 - 12:38 PM

Well done :thumbup2:

Please do the step 1 before doing other steps because we are going to remove the uploaded file.
  • I would like to have a close look the following file. To submit the file:
  • Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      :Processes
      explorer.exe
      
      :Services
      Windows Action Script
      
      :Files
      c:\windows\Tasks\At*.job
      c:\*.exe
      c:\*.bat
      C:\azq2bu.txt
      c:\windows\system32\scvhost.exe
      
      :Reg
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      "Msn"=-
      "MsnHost"=-
      "MsnLoad"=-
      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
      "Msn"=-
      "MsnHost"=-
      "MsnLoad"=-
      
      :Commands
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt3
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Please copy and paste a fresh Hijackthis log to your reply.


#5 neelhow

neelhow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 April 2009 - 01:02 PM

Uploaded requested file and here are the new logs.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver Windows Action Script deleted successfully.
========== FILES ==========
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At44.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At46.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At48.job moved successfully.
c:\windows\Tasks\At49.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At50.job moved successfully.
c:\windows\Tasks\At51.job moved successfully.
c:\windows\Tasks\At52.job moved successfully.
c:\windows\Tasks\At53.job moved successfully.
c:\windows\Tasks\At54.job moved successfully.
c:\windows\Tasks\At55.job moved successfully.
c:\windows\Tasks\At56.job moved successfully.
c:\windows\Tasks\At57.job moved successfully.
c:\windows\Tasks\At58.job moved successfully.
c:\windows\Tasks\At59.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At60.job moved successfully.
c:\windows\Tasks\At61.job moved successfully.
c:\windows\Tasks\At62.job moved successfully.
c:\windows\Tasks\At63.job moved successfully.
c:\windows\Tasks\At64.job moved successfully.
c:\windows\Tasks\At65.job moved successfully.
c:\windows\Tasks\At66.job moved successfully.
c:\windows\Tasks\At67.job moved successfully.
c:\windows\Tasks\At68.job moved successfully.
c:\windows\Tasks\At69.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At70.job moved successfully.
c:\windows\Tasks\At71.job moved successfully.
c:\windows\Tasks\At72.job moved successfully.
c:\windows\Tasks\At73.job moved successfully.
c:\windows\Tasks\At74.job moved successfully.
c:\windows\Tasks\At75.job moved successfully.
c:\windows\Tasks\At76.job moved successfully.
c:\windows\Tasks\At77.job moved successfully.
c:\windows\Tasks\At78.job moved successfully.
c:\windows\Tasks\At79.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At80.job moved successfully.
c:\windows\Tasks\At81.job moved successfully.
c:\windows\Tasks\At82.job moved successfully.
c:\windows\Tasks\At83.job moved successfully.
c:\windows\Tasks\At84.job moved successfully.
c:\windows\Tasks\At85.job moved successfully.
c:\windows\Tasks\At86.job moved successfully.
c:\windows\Tasks\At87.job moved successfully.
c:\windows\Tasks\At88.job moved successfully.
c:\windows\Tasks\At89.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
c:\windows\Tasks\At90.job moved successfully.
c:\windows\Tasks\At91.job moved successfully.
c:\windows\Tasks\At92.job moved successfully.
c:\windows\Tasks\At93.job moved successfully.
c:\windows\Tasks\At94.job moved successfully.
c:\windows\Tasks\At95.job moved successfully.
c:\windows\Tasks\At96.job moved successfully.
c:\dRr.exe moved successfully.
c:\AUTOEXEC.BAT moved successfully.
c:\RTV6CC.bat moved successfully.
c:\w1qT.bat moved successfully.
C:\azq2bu.txt moved successfully.
File/Folder c:\windows\system32\scvhost.exe not found.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Msn not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MsnHost not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MsnLoad not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\Msn deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\MsnHost deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\MsnLoad deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\U8IQZXKU\index[5].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\PR01KJ7W\index[10].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0KJ5MTGW\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VSP3CDJ0\2009_cuteteencheaters_com[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\REPJQHOF\join[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NZ7CZ6I0\g667031-pmo[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NZ7CZ6I0\portal[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\fla14BD.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JET7407.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_135242


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:34 PM, on 4/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
K:\pin drive\virus tools\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 5573 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:22 AM

Posted 17 April 2009 - 01:26 PM

Thanks for the upload.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Please run DDS and post a DDS log for final review(No need for attach.txt). Tell me also how is the computer running.


#7 neelhow

neelhow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 April 2009 - 01:40 PM

Computer seems to running much better now I have not seen any return of the batch files or exe's. I going to feel pretty dumb if it was the files in the task causing all these issues but I guess you learn something new everyday. I will know where to look next time. Here is the requested log. Thanks for all your help.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Owner at 14:35:23.15 on Fri 04/17/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.793 [GMT -4:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mWindow Title = NetLine America, Inc.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-04-17 14:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 14:33 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-17 13:52 <DIR> --d----- C:\_OTMoveIt
2009-04-17 12:53 0 a------- C:\Documents
2009-04-16 11:28 <DIR> --d----- C:\boFix
2009-04-16 09:38 <DIR> --d----- c:\program files\FileASSASSIN
2009-04-15 10:37 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-04-15 10:37 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-15 10:37 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-04-15 10:37 9,600 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-28 22:38 4,096 a------- c:\windows\d3dx.dat
2008-07-15 12:44 70,048 a------- c:\docume~1\compaq~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 14:35:44.57 ===============

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:22 AM

Posted 17 April 2009 - 02:02 PM

You are very welcome.

Even if you know where they are, unless you get them all at once they will be regenerated.

Everything looks good. :thumbup2:
  • Please run OTMoveIt2.
    • Click green Clean Up button.
    • Accept any prompts.
    • This will remove some of the tools we used, including OTMoveIt, and will require a reboot.
  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

    Optional Recommendations:
    • Your log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. If you are not behind a router I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
      Click for more information on:Understanding and Using Firewalls

      There are several good free programs available like:

      Sunbelt-Kerio
      (Note: You install the Sunbelt trial version but after the trial period it will revert back to free version.)

      Online Armor Free edition
    • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
    • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
      SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.

Happy surfing!

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:22 AM

Posted 22 April 2009 - 12:09 PM

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users