Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaning Parents' Computer of Malware


  • This topic is locked This topic is locked
8 replies to this topic

#1 1amagico

1amagico

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 28 April 2009 - 03:05 PM

My parents' Vista computer is only 6 months old but has been infected with spyware many times. I've cleaned most of it using Malwarebytes but I think there might be something I can't detect. It's pretty slow considering it's a relatively new computer, and it's not letting me turn on Windows Security Alerts.


These are the DDS logs:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Lee at 14:54:51.56 on 2009-04-28
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.949.82.1033.18.2038.933 [GMT -5:00]

FW: Sunbelt Personal Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Users\Lee\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = money.cnn.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080828
mStart Page = hxxp://kr.yahoo.com
mDefault_Page_URL = hxxp://kr.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [SharedApplication] c:\windows\system32\explorer.exe
dRun: [Systemhost] c:\windows\system\svchost.exe
dRun: [MyLibHelper] c:\MyLibHelper.exe
dRun: [HCHK] c:\windows\system32\hchk.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {5B535297-89E6-486E-8DA8-0C663B1981EC} - hxxp://www.cyberoro.com/download/giboview.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} - hxxp://mylibrary.barobook.com/ebookAgent/2.0.0.3/eBookAgent.ocx
DPF: {9A09EAA0-EC66-4A07-B6C8-B54C27BC94A6} - hxxp://www.allthegate.com/plugin/AGSWalletforVista.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\lee\appdata\roaming\mozilla\firefox\profiles\o95p030s.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-10-31 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-28 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-28 210216]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2008-8-27 27648]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 DLXPDisplayName;DLXPDisplayName;c:\windows\system32\drivers\DLACPI.sys [2008-8-28 14392]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-4-28 65576]
R3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2008-11-21 11385]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-3-4 645120]
S3 JRSUKD25;JRSUKD25;c:\windows\system32\JRSUKD25.SYS [2008-11-19 16536]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2008-11-21 169109]
S4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-8-28 73728]
S4 Component Loader Ep Service;Component Loader Ep Service;c:\windows\comloadepsv.exe [2008-11-4 140800]
S4 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
S4 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
S4 TsService;TsService;c:\windows\system32\TsService.exe [2008-9-4 172032]

=============== Created Last 30 ================

2009-04-28 12:37 65,576 a------- c:\windows\system32\drivers\SbFwIm.sys
2009-04-28 12:36 <DIR> --d----- c:\program files\Sunbelt Software
2009-04-28 12:35 <DIR> --d----- c:\programdata\SiteAdvisor
2009-04-28 12:35 <DIR> --d----- c:\program files\common files\McAfee
2009-04-28 12:35 <DIR> --d----- c:\programdata\McAfee
2009-04-28 12:35 <DIR> --d----- c:\program files\McAfee
2009-04-28 12:33 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-04-28 12:33 <DIR> --d----- c:\program files\SpywareBlaster
2009-04-28 12:32 <DIR> --d----- c:\program files\Trend Micro
2009-04-28 11:22 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-28 11:22 <DIR> --d----- c:\programdata\Avira
2009-04-28 11:22 <DIR> --d----- c:\program files\Avira
2009-04-28 11:22 <DIR> --d----- c:\progra~2\Avira
2009-04-24 23:58 <DIR> --d----- c:\program files\common files\DivX Shared
2009-04-16 18:08 376,832 a------- c:\windows\system32\winhttp.dll

==================== Find3M ====================

2009-04-28 12:37 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-28 12:37 51,200 a------- c:\windows\inf\infpub.dat
2009-04-28 12:37 86,016 a------- c:\windows\inf\infstor.dat
2009-04-13 00:38 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-04-13 00:38 77,824 a------- c:\windows\system32\kdfapi.dll
2009-04-13 00:38 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-16 22:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 22:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 22:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-02 23:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 23:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 23:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 23:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 23:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 23:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 23:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 23:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 23:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 23:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 22:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 21:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 21:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-13 03:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 03:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-08 22:10 2,033,152 a------- c:\windows\system32\win32k.sys
2008-09-23 20:55 78 a------- c:\users\lee\appdata\roaming\wklnhst.dat
2008-08-28 01:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:56:34.99 ===============










UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 2008-08-27 오후 5:29:02
System Uptime: 2009-04-28 오후 12:38:58 (2 hours ago)

Motherboard: Dell Inc. | | 0P096C
Processor: Intel® Pentium® Dual CPU T2390 @ 1.86GHz | CPU 1 | 1867/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 134 GiB total, 95.214 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 11.526 GiB free.
E: is CDROM (CDFS)
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP239: 2009-04-20 오후 3:58:58 - Scheduled Checkpoint
RP240: 2009-04-21 오전 7:32:50 - Scheduled Checkpoint
RP241: 2009-04-22 오전 10:16:27 - Scheduled Checkpoint
RP242: 2009-04-23 오후 4:21:49 - Windows Update
RP243: 2009-04-24 오후 3:20:59 - Scheduled Checkpoint
RP244: 2009-04-25 오후 4:10:30 - Scheduled Checkpoint
RP245: 2009-04-26 오전 4:38:57 - Scheduled Checkpoint
RP246: 2009-04-26 오후 12:49:25 - Windows Update
RP247: 2009-04-27 오전 1:24:14 - Scheduled Checkpoint
RP248: 2009-04-28 오전 3:45:11 - Windows Update
RP249: 2009-04-28 오전 11:17:31 - Removed McAfee VirusScan Enterprise
RP251: 2009-04-28 오전 11:20:14 - Avira AntiVir Personal - 2009-04-28 11:20
RP252: 2009-04-28 오후 12:36:24 - Installed Sunbelt Personal Firewall.
RP253: 2009-04-28 오후 1:21:04 - 4/28

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1 - Korean
AGSWalletforVista
Avira AntiVir Personal - Free Antivirus
Browser Address Error Redirector
Compatibility Pack for the 2007 Office system
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
DivX Web Player
EDocs
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java™ 6 Update 11
Java™ 6 Update 3
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7
Linksys Updater
Linksys Wireless Manager
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
MediaButtons 4.0.0.19
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.0.8)
OpenOffice.org 3.0
PowerDVD
Pure Networks Platform
Realtek Ethernet Network Card Diagnostic tool for Windows Vista
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for CAPICOM (KB931906)
SoftCamp Secure KeyStroke 4.0
Spelling Dictionaries Support For Adobe Reader 9
SpywareBlaster 4.2
Sunbelt Personal Firewall
VC80CRTRedist - 8.0.50727.762
Veoh Web Player Beta
WinZip 12.0
XecureWeb Control

==== Event Viewer Messages From Past Week ========

2009-04-28 오후 12:43:03, Error: bowser [8003] - The master browser has received a server announcement from the computer YOUR-27E1513D96 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{73F6E9B4-8771-42B6-9AA4-EC. The master browser is stopping or an election is being forced.
2009-04-28 오전 10:49:45, Error: EventLog [6008] - The previous system shutdown at 오전 10:29:53 on 2009-04-28 was unexpected.
2009-04-22 오후 12:15:19, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Pure Networks Platform Service service to connect.
2009-04-22 오후 12:15:19, Error: Service Control Manager [7000] - The Pure Networks Platform Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2009-04-22 오전 9:47:34, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Pure Networks Platform Service service to connect.
2009-04-22 오전 9:47:34, Error: Service Control Manager [7000] - The Pure Networks Platform Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2009-04-22 오전 11:58:19, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Pure Networks Platform Service service to connect.
2009-04-22 오전 11:58:19, Error: Service Control Manager [7000] - The Pure Networks Platform Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================








HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 3:01:38, on 2009-04-28
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [SharedApplication] C:\Windows\system32\explorer.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SharedApplication] C:\Windows\system32\explorer.exe (User 'Default user')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\DELL\DellDock\DellDock.exe (User 'Default user')
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {5B535297-89E6-486E-8DA8-0C663B1981EC} (giboView Control) - http://www.cyberoro.com/download/giboview.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://mylibrary.barobook.com/ebookAgent/2.../eBookAgent.ocx
O16 - DPF: {9A09EAA0-EC66-4A07-B6C8-B54C27BC94A6} (AGSWallet Control) - http://www.allthegate.com/plugin/AGSWalletforVista.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5344 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:57 AM

Posted 28 April 2009 - 03:36 PM

Hi 1amagico,

The malware on this computer is different than yours. The important step is to run ComboFix.

Regards,
farbar
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#3 1amagico

1amagico
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 28 April 2009 - 06:18 PM

The first time I ran ComboFix, it said that it deleted one file at the start. I don't remember the exact name, but it was in the C:/Windows directory and was an .exe file. It began running, but after it completed Stage 31, my system crashed and I saw the blue screen.

So I tried running it again in Safe Mode, and it was fine. The log is below.

Then, just to see if it was still a problem, I tried running it again in Normal Mode, but it crashed my system soon after starting, even before it completed any Stages.



ComboFix 09-04-28.02 - Lee 2009-04-28 16:21.2 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.949.82.1033.18.2038.1742 [GMT -5:00]
Running from: c:\users\Lee\Desktop\ComboFix.exe
FW: Sunbelt Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\sss.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 17:37 . 2008-06-21 09:54 65576 ----a-w c:\windows\system32\drivers\SbFwIm.sys
2009-04-28 17:36 . 2009-04-28 17:36 -------- d-----w c:\program files\Sunbelt Software
2009-04-28 17:35 . 2009-04-28 17:35 -------- d-----w c:\programdata\SiteAdvisor
2009-04-28 17:35 . 2009-04-28 17:35 -------- d-----w c:\users\All Users\SiteAdvisor
2009-04-28 17:35 . 2009-04-28 17:35 -------- d-----w c:\program files\Common Files\McAfee
2009-04-28 17:35 . 2009-04-28 17:39 -------- d-----w c:\program files\McAfee
2009-04-28 17:35 . 2009-04-28 17:35 -------- d-----w c:\programdata\McAfee
2009-04-28 17:35 . 2009-04-28 17:35 -------- d-----w c:\users\All Users\McAfee
2009-04-28 17:33 . 2005-08-26 00:18 118784 ----a-w c:\windows\system32\MSSTDFMT.DLL
2009-04-28 17:33 . 2009-04-28 17:34 -------- d-----w c:\program files\SpywareBlaster
2009-04-28 17:32 . 2009-04-28 17:32 -------- d-----w c:\program files\Trend Micro
2009-04-28 16:22 . 2009-04-28 16:26 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-28 16:22 . 2009-04-28 16:22 -------- d-----w c:\programdata\Avira
2009-04-28 16:22 . 2009-04-28 16:22 -------- d-----w c:\users\All Users\Avira
2009-04-28 16:22 . 2009-04-28 16:22 -------- d-----w c:\program files\Avira
2009-04-25 04:58 . 2009-04-25 04:58 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-19 20:10 . 2009-04-19 20:10 0 ----a-w c:\windows\nsreg.dat
2009-04-19 20:10 . 2009-04-19 20:10 -------- d-----w c:\users\Lee\AppData\Local\Mozilla
2009-04-17 00:39 . 2009-03-03 04:40 827392 ----a-w c:\windows\system32\wininet.dll
2009-04-17 00:39 . 2009-03-03 02:28 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-04-17 00:39 . 2009-03-03 04:37 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-16 23:08 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 17:37 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-28 17:37 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-28 17:37 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-28 17:23 . 2009-03-10 00:29 -------- d-----w c:\program files\Trojan Remover
2009-04-26 18:10 . 2008-12-22 01:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 04:58 . 2009-03-03 03:22 -------- d-----w c:\program files\DivX
2009-04-13 05:38 . 2008-11-22 22:06 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-13 05:38 . 2008-11-22 22:06 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-13 05:38 . 2008-11-22 22:06 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-06 20:32 . 2008-12-22 01:12 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-12-22 01:10 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 14:25 . 2008-12-22 02:43 -------- d-----w c:\program files\Common Files\Adobe
2009-03-17 03:38 . 2009-04-17 01:01 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-17 01:01 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 01:01 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-11 18:31 . 2009-03-11 18:31 -------- d-----w c:\program files\Veoh Networks
2009-03-10 12:41 . 2009-03-10 12:41 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-10 05:00 . 2008-08-28 03:40 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 00:36 . 2009-03-10 00:36 -------- d-----w c:\program files\Enigma Software Group
2009-03-10 00:36 . 2009-03-10 00:36 0 ----a-w c:\windows\system32\SBRC.dat
2009-03-10 00:36 . 2009-03-10 00:36 0 ----a-w c:\windows\system32\SBFC.dat
2009-03-10 00:13 . 2009-03-10 00:13 -------- d-----w c:\program files\Aegis Hyosung inc
2009-03-09 23:35 . 2008-12-05 04:37 -------- d-----w c:\program files\Yahoo!
2009-03-05 02:46 . 2009-02-17 03:11 -------- d-----w c:\program files\Linksys
2009-03-05 02:45 . 2009-03-05 02:45 -------- d-----w c:\program files\Common Files\Pure Networks Shared
2009-03-03 04:46 . 2009-04-17 01:01 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 01:01 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 01:01 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 01:01 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 01:01 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 01:01 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 01:01 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 01:01 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 01:01 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 01:01 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-17 03:29 . 2008-09-03 18:23 69976 ----a-w c:\users\Lee\AppData\Local\GDIPFONTCACHEV1.DAT
2009-02-16 22:13 . 2008-09-08 05:55 5972 ----a-w c:\users\Lee\AppData\Local\d3d9caps.dat
2009-02-13 08:49 . 2009-04-17 01:01 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-17 01:01 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-10 23:18 2033152 ----a-w c:\windows\system32\win32k.sys
2008-01-21 02:57 . 2006-11-02 12:48 174 --sha-w c:\program files\desktop.ini
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-08-28 06:16 . 2008-08-28 06:15 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2008-12-05 1350192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-28 03:52 10536 ----a-w c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Users^Lee^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Lee^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{93E755B9-8CFB-4DB8-A15B-AE038B9ABCF1}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{76BD5DA1-54FA-45EC-A863-5381E4BAA4F1}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{64697A5B-415B-4605-A9F5-8B59528FBF2E}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{584479D1-5FBB-46A2-B7F8-08A09C924E6A}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{6B612EE5-B1FC-4169-A50E-B477A4AB6774}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{4764EB08-D8A6-4896-8B98-011D35BA1F92}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"TCP Query User{E1C0A82F-F62F-4EA1-9B5C-FE4587F2A32C}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{8D85E64B-AEA9-4348-A2E0-35F7F19BF28A}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{3EBC2271-41DA-4315-9663-AD78C688D878}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{5A1C595B-C97B-4530-8A79-AB03BD601944}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{E649AE44-E426-4FA0-96D6-8789C28F2B76}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{D83D4D9D-4D8A-42ED-9CF4-9B7C248BFE23}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{E4C24A06-C622-4092-978E-21F9112A4D5A}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{08265FE3-B2F5-4027-99CB-0D9FFD10D08A}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"TCP Query User{1EFACA88-B2C6-4B69-8AA6-FEDA5021EBFE}c:\\program files\\andu\\andu plus\\bin\\andup2p.exe"= UDP:c:\program files\andu\andu plus\bin\andup2p.exe:AnduP2P
"UDP Query User{8D6B6BAC-4D3E-4AB4-9ADE-F2876BDEE58B}c:\\program files\\andu\\andu plus\\bin\\andup2p.exe"= TCP:c:\program files\andu\andu plus\bin\andup2p.exe:AnduP2P
"{CADDDD13-94CB-413C-8A9F-85F7AE382D8C}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{DB72E353-CC54-40ED-9F0E-B0BBC8ED3DF3}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-28 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-05-08 27648]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 JRSKD24;JRSKD24; [x]
R3 JRSUKD25;JRSUKD25;c:\windows\system32\JRSUKD25.SYS [2008-11-20 16536]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2008-12-03 169109]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\DRIVERS\WUSB54GCv3.sys [2008-12-04 645120]
R4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-04-16 73728]
R4 Component Loader Ep Service;Component Loader Ep Service;c:\windows\comloadepsv.exe [2008-11-04 140800]
R4 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
R4 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R4 TsService;TsService;c:\windows\system32\TsService.exe [2008-07-17 172032]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-10-31 270888]
S3 DLXPDisplayName;DLXPDisplayName;c:\windows\system32\DRIVERS\DLACPI.sys [2008-04-16 14392]
S3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2008-12-03 11385]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
HKU-Default-Run-SharedApplication - c:\windows\system32\explorer.exe
HKU-Default-Run-Systemhost - c:\windows\system\svchost.exe
HKU-Default-Run-MyLibHelper - c:\MyLibHelper.exe
HKU-Default-Run-HCHK - c:\windows\system32\hchk.exe


.
------- Supplementary Scan -------
.
uStart Page = money.cnn.com/
mStart Page = hxxp://kr.yahoo.com
DPF: {5B535297-89E6-486E-8DA8-0C663B1981EC} - hxxp://www.cyberoro.com/download/giboview.cab
DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} - hxxp://mylibrary.barobook.com/ebookAgent/2.0.0.3/eBookAgent.ocx
DPF: {9A09EAA0-EC66-4A07-B6C8-B54C27BC94A6} - hxxp://www.allthegate.com/plugin/AGSWalletforVista.cab
FF - ProfilePath - c:\users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\o95p030s.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 16:26
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
Completion time: 2009-04-28 16:27
ComboFix-quarantined-files.txt 2009-04-28 21:27

Pre-Run: 103,235,223,552 bytes free
Post-Run: 103,609,978,880 bytes free

254 --- E O F --- 2009-04-28 08:46








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 6:13:59, on 2009-04-28
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\DELL\DellDock\DellDock.exe (User 'Default user')
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {5B535297-89E6-486E-8DA8-0C663B1981EC} (giboView Control) - http://www.cyberoro.com/download/giboview.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://mylibrary.barobook.com/ebookAgent/2.../eBookAgent.ocx
O16 - DPF: {9A09EAA0-EC66-4A07-B6C8-B54C27BC94A6} (AGSWallet Control) - http://www.allthegate.com/plugin/AGSWalletforVista.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 4834 bytes

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:57 AM

Posted 28 April 2009 - 06:37 PM

Well done :thumbup2:
  • Download HostsXpert.zip
    • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
    • Double-click HostsXpert.exe to run the program.
    • Click "Make Hosts Writable?" in the upper right corner (If available).
    • Click "Restore Microsoft's Hosts file" and then click "OK".
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Please copy and paste a fresh Hijackthis log to your reply and tell me how is the computer running.


#5 1amagico

1amagico
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 28 April 2009 - 09:10 PM

It's allowing me to turn on Windows Security Alerts again, and I don't see any overt signs of infection.

Does this log indicate any remaining problems?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 6:13:59, on 2009-04-28
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\DELL\DellDock\DellDock.exe (User 'Default user')
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {5B535297-89E6-486E-8DA8-0C663B1981EC} (giboView Control) - http://www.cyberoro.com/download/giboview.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://mylibrary.barobook.com/ebookAgent/2.../eBookAgent.ocx
O16 - DPF: {9A09EAA0-EC66-4A07-B6C8-B54C27BC94A6} (AGSWallet Control) - http://www.allthegate.com/plugin/AGSWalletforVista.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 4834 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:57 AM

Posted 29 April 2009 - 02:17 AM

Does this log indicate any remaining problems?


Yes it does, because this log is the same log you have posted before those fixes. :thumbup2:
Please post a fresh log.

#7 1amagico

1amagico
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 29 April 2009 - 09:10 AM

That was strange... For some reason each time I did a scan, HijackThis wasn't updating the log.

The log file would open for me to view, but it was the same one from before. Even though the program showed O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) to be deleted.

I tried renaming hijackthis.txt to hijackthis1.txt, but then after it scanned, the new log was completely blank.

So I re-installed HJT and it was working again.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오전 8:09:53, on 2009-04-29
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\DELL\DellDock\DellDock.exe (User 'Default user')
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://mylibrary.barobook.com/ebookAgent/2.../eBookAgent.ocx
O16 - DPF: {9A09EAA0-EC66-4A07-B6C8-B54C27BC94A6} (AGSWallet Control) - http://www.allthegate.com/plugin/AGSWalletforVista.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 3567 bytes

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:57 AM

Posted 29 April 2009 - 10:09 AM

Everything looks good. :thumbup2:


Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Please let me know Combofix uninstalled properly.

I hope your parents enjoy surfing.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:57 AM

Posted 04 May 2009 - 10:42 AM

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users