Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mal/spy ware and pop-ups slowing comp


  • This topic is locked This topic is locked
6 replies to this topic

#1 REINOMARK

REINOMARK

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 11 June 2009 - 12:02 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:18 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1142528435\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\unzipped\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sports.yahoo.com/fantasy;_ylt=An9Vz...vhB6UmMkJc5nYcB
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142528435\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pqerxcsqakhmc] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tkcoovphqmbknjkmi.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127163068921
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://fantasygames.mlb.com/images/crs/spl...b_teamlogos.gif

--
End of file - 9184 bytes

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 20 June 2009 - 09:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 REINOMARK

REINOMARK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 June 2009 - 04:49 PM

DDS (Ver_09-05-14.01) - NTFSx86
Run by MARK at 8:30:30.93 on Sat 06/20/2009
Internet Explorer: 7.0.5700.6 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.122 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1142528435\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\LimeWire\LimeWire 4.0.4\LimeWire.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\MARK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sports.yahoo.com/fantasy;_ylt=An9Vzrv1d49QwvhB6UmMkJc5nYcB
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AOL Fast Start] "c:\program files\america online 9.0a\AOL.EXE" -b
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [HostManager] c:\program files\common files\aol\1142528435\ee\AOLSoftware.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [pqerxcsqakhmc] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\tkcoovphqmbknjkmi.dll"
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127163068921
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\pxb28q0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFie7&query=
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - component: c:\program files\mozilla firefox\extensions\kodak-companion@mozilla.com\platform\winnt\components\pickup.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-5-14 11608]
R2 AntiVirScheduler;Avira AntiVir Personal Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-5-14 68865]
R2 AntiVirService;Avira AntiVir Personal Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-5-14 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-5-14 52056]
S3 RmAx;RMAXUSB;c:\windows\system32\drivers\RmAx.sys [2005-10-28 40502]

=============== Created Last 30 ================

2009-06-09 19:36 <DIR> --d----- c:\docume~1\mark\applic~1\HouseCall 6.6
2009-06-08 23:38 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-08 23:37 <DIR> --d----- c:\documents and settings\mark\.housecall6.6
2009-06-04 07:04 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-06-04 07:04 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-29 16:39 48,274 a------- c:\windows\system32\njfwriaaqzamalxgq.exe
2009-05-29 15:28 <DIR> --d----- c:\program files\iPod
2009-05-29 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-29 15:27 <DIR> --d----- c:\program files\iTunes
2009-05-29 15:26 <DIR> --d----- c:\program files\Bonjour
2009-05-29 15:22 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-05-18 10:53 68,593 a------- c:\windows\hpoins05.dat
2009-05-10 22:49 139,264 a------- c:\windows\system32\hpzjrd01.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 09:38 482,816 a------- c:\windows\system32\tkcoovphqmbknjkmi.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-01-01 18:41 121,064 a------- c:\docume~1\mark\applic~1\GDIPFONTCACHEV1.DAT
2008-04-30 22:31 9,728 ac-sh--- c:\program files\Thumbs.db
2007-09-25 00:22 35,704 a------- c:\docume~1\mark\applic~1\wklnhst.dat
2007-05-28 22:04 545,752 ac------ c:\program files\sgc10_rdr80_DLM_en_US.exe
2007-05-03 20:36 559,856 ac------ c:\program files\WindowsXP-KB906569-v2-x86-ENU.exe
2006-08-18 22:35 534,112 ac------ c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
2005-12-02 13:53 20,921,040 ac------ c:\program files\AdbeRdr705_enu_full.exe
2005-10-27 10:05 4,878,136 ac------ c:\program files\Firefox Setup 1.0.7.exe
2005-10-27 10:04 6,034,480 ac------ c:\program files\Thunderbird Setup 1.0.7.exe
2005-10-04 08:17 353,298 ac------ c:\program files\LimeWireWin.exe
2005-09-01 10:09 10,420,936 ac------ c:\program files\xlviewer.exe
2005-06-01 17:42 7,170,500 ac------ c:\program files\atlas.rcf
2005-06-01 17:12 4,914 ac------ c:\program files\DeIsL1.isu
2005-04-08 23:37 4,985,856 ac------ c:\program files\DellPSPA521Patch_English.exe
2000-02-23 03:38 14,483 ac------ c:\program files\readme.txt
1998-08-20 09:50 804,352 ac------ c:\program files\roadie32.dll
1998-06-24 07:43 46,080 ac------ c:\program files\teaser.exe
1997-06-02 20:31 108,032 ac------ c:\program files\sh32w32.dll
1997-05-07 08:41 666,112 ac------ c:\program files\rwmath32.exe
1997-05-07 08:39 54,272 ac------ c:\program files\atmsg32.dll
1997-05-05 11:23 42,496 ac------ c:\program files\cport32.dll
1997-05-05 05:59 436,224 ac------ c:\program files\atres32.dll
1997-04-24 07:36 85,504 ac------ c:\program files\atsnd32.dll
1997-04-21 05:24 766 ac------ c:\program files\Website.ico
1997-04-10 02:23 316 ac------ c:\program files\teaser.ini
1997-04-08 10:25 83,968 ac------ c:\program files\atfio32.dll
1997-02-28 09:05 99,478 ac------ c:\program files\teaser.bmp
1997-02-26 07:30 766 ac------ c:\program files\UNRWM.ico
1997-02-26 07:14 766 ac------ c:\program files\RWM.ico
1997-01-09 11:51 54,784 ac------ c:\program files\atmidi32.dll
1996-06-17 09:14 266,240 ac------ c:\program files\msvcrt.dll
1996-06-14 14:20 74,752 ac------ c:\program files\msvcirt.dll
2008-01-03 23:17 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-29 20:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

============= FINISH: 8:32:47.18 ===============

Attached Files



#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:54 PM

Posted 22 June 2009 - 03:08 AM

Hello

Step #1
OTMoveIt3
  • Download OTMoveIt3 and save it to your desktop. Then run it.
  • Copy and paste the lines in the code box below into the input field at the bottom left corner:
    :processes
    explorer.exe
    
    :files
    c:\windows\system32\njfwriaaqzamalxgq.exe
    c:\windows\system32\tkcoovphqmbknjkmi.dll
    
    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "pqerxcsqakhmc"=-
    
    :commands
    [EmtyTemp]
    [Start Explorer]
    [Reboot]
  • Now click the red button that says MoveIt!
  • To the right, the results show up. Copy and paste them all into a notepad file and post the notepad file in your next reply.
Step #2
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #3
Please post OtMoveIt log, Mbam results and a fresh DDS log back here :thumbup2:
Posted Image

#5 REINOMARK

REINOMARK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 23 June 2009 - 02:25 AM

OTM LOG:

========= PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\system32\njfwriaaqzamalxgq.exe moved successfully.
c:\windows\system32\tkcoovphqmbknjkmi.dll unregistered successfully.
c:\windows\system32\tkcoovphqmbknjkmi.dll moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\pqerxcsqakhmc not found.
========== COMMANDS ==========
Error: Unable to interpret <[EmtyTemp]> in the current context!
Explorer started successfully

OTM by OldTimer - Version 2.1.0.1 log created on 06222009_185602


MBAM LOG:


Malwarebytes' Anti-Malware 1.38
Database version: 2323
Windows 5.1.2600 Service Pack 3

6/22/2009 11:52:49 PM
mbam-log-2009-06-22 (23-52-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 270195
Time elapsed: 2 hour(s), 18 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.Search) -> Bad: (http://www.iesearch.com/) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\MARK\Start Menu\Programs\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.

Files Infected:
c:\unzipped\hijackthis\backups\backup-20090609-191137-509.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\unzipped\hijackthis\backups\backup-20090608-180947-146.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\unzipped\hijackthis\backups\backup-20090608-230520-238.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\unzipped\hijackthis\backups\backup-20090611-181524-507.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\unzipped\hijackthis\backups\backup-20090614-084657-681.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\unzipped\hijackthis\backups\backup-20090619-182449-289.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\unzipped\hijackthis\backups\backup-20090622-185139-583.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\_OTM\movedfiles\06222009_185602\windows\system32\njfwriaaqzamalxgq.exe (Adware.TheSuperAds) -> Quarantined and deleted successfully.
c:\_OTM\movedfiles\06222009_185602\windows\system32\tkcoovphqmbknjkmi.dll (Adware.GooochiBiz) -> Delete on reboot.
c:\documents and settings\MARK\start menu\Programs\bitdownload\BitDownload Downloads.lnk (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\cport32.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

NEW DDS:


DDS (Ver_09-05-14.01) - NTFSx86
Run by MARK at 0:18:12.32 on Tue 06/23/2009
Internet Explorer: 7.0.5700.6 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.250 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\AOL\1142528435\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1142528435\ee\aolsoftware.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MARK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sports.yahoo.com/fantasy;_ylt=An9Vzrv1d49QwvhB6UmMkJc5nYcB
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AOL Fast Start] "c:\program files\america online 9.0a\AOL.EXE" -b
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [HostManager] c:\program files\common files\aol\1142528435\ee\AOLSoftware.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127163068921
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\pxb28q0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFie7&query=
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - component: c:\program files\mozilla firefox\extensions\kodak-companion@mozilla.com\platform\winnt\components\pickup.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-5-14 11608]
R2 AntiVirScheduler;Avira AntiVir Personal Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-5-14 68865]
R2 AntiVirService;Avira AntiVir Personal Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-5-14 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-5-14 52056]
S3 RmAx;RMAXUSB;c:\windows\system32\drivers\RmAx.sys [2005-10-28 40502]

=============== Created Last 30 ================

2009-06-22 08:41 <DIR> --d----- c:\docume~1\mark\applic~1\Malwarebytes
2009-06-22 08:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 08:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-22 08:41 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 08:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 08:37 <DIR> --d----- C:\_OTM
2009-06-09 19:36 <DIR> --d----- c:\docume~1\mark\applic~1\HouseCall 6.6
2009-06-08 23:38 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-08 23:37 <DIR> --d----- c:\documents and settings\mark\.housecall6.6
2009-06-04 07:04 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-06-04 07:04 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-29 15:28 <DIR> --d----- c:\program files\iPod
2009-05-29 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-29 15:27 <DIR> --d----- c:\program files\iTunes
2009-05-29 15:26 <DIR> --d----- c:\program files\Bonjour
2009-05-29 15:22 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-05-18 10:53 68,593 a------- c:\windows\hpoins05.dat
2009-05-10 22:49 139,264 a------- c:\windows\system32\hpzjrd01.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-01-01 18:41 121,064 a------- c:\docume~1\mark\applic~1\GDIPFONTCACHEV1.DAT
2008-04-30 22:31 9,728 ac-sh--- c:\program files\Thumbs.db
2007-09-25 00:22 35,704 a------- c:\docume~1\mark\applic~1\wklnhst.dat
2007-05-28 22:04 545,752 ac------ c:\program files\sgc10_rdr80_DLM_en_US.exe
2007-05-03 20:36 559,856 ac------ c:\program files\WindowsXP-KB906569-v2-x86-ENU.exe
2006-08-18 22:35 534,112 ac------ c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
2005-12-02 13:53 20,921,040 ac------ c:\program files\AdbeRdr705_enu_full.exe
2005-10-27 10:05 4,878,136 ac------ c:\program files\Firefox Setup 1.0.7.exe
2005-10-27 10:04 6,034,480 ac------ c:\program files\Thunderbird Setup 1.0.7.exe
2005-10-04 08:17 353,298 ac------ c:\program files\LimeWireWin.exe
2005-09-01 10:09 10,420,936 ac------ c:\program files\xlviewer.exe
2005-06-01 17:42 7,170,500 ac------ c:\program files\atlas.rcf
2005-06-01 17:12 4,914 ac------ c:\program files\DeIsL1.isu
2005-04-08 23:37 4,985,856 ac------ c:\program files\DellPSPA521Patch_English.exe
2000-02-23 03:38 14,483 ac------ c:\program files\readme.txt
1998-08-20 09:50 804,352 ac------ c:\program files\roadie32.dll
1998-06-24 07:43 46,080 ac------ c:\program files\teaser.exe
1997-06-02 20:31 108,032 ac------ c:\program files\sh32w32.dll
1997-05-07 08:41 666,112 ac------ c:\program files\rwmath32.exe
1997-05-07 08:39 54,272 ac------ c:\program files\atmsg32.dll
1997-05-05 05:59 436,224 ac------ c:\program files\atres32.dll
1997-04-24 07:36 85,504 ac------ c:\program files\atsnd32.dll
1997-04-21 05:24 766 ac------ c:\program files\Website.ico
1997-04-10 02:23 316 ac------ c:\program files\teaser.ini
1997-04-08 10:25 83,968 ac------ c:\program files\atfio32.dll
1997-02-28 09:05 99,478 ac------ c:\program files\teaser.bmp
1997-02-26 07:30 766 ac------ c:\program files\UNRWM.ico
1997-02-26 07:14 766 ac------ c:\program files\RWM.ico
1997-01-09 11:51 54,784 ac------ c:\program files\atmidi32.dll
1996-06-17 09:14 266,240 ac------ c:\program files\msvcrt.dll
1996-06-14 14:20 74,752 ac------ c:\program files\msvcirt.dll
2008-01-03 23:17 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-29 20:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

============= FINISH: 0:20:13.26 ===============

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:54 PM

Posted 23 June 2009 - 02:50 AM

Hello :thumbup2:

Step #1 - Update Java version
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.


Step #2 - Scan computer
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3 - Download third party firewall
Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
(At installing Zonealarm, please uncheck this option "include a ZoneAlarm Spy Blocker...". The Toolbar is not recommended... You can read more about it here.)
2) Agnitum
3) Sunbelt/Kerio
4) Comodo
(at installing Comodo, please uncheck these options: "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage". If you use another antivirus, please uncheck "Install Comodo Antivirus".)
5) Online-Armor Free

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Step #4 - Post logs and scan results
Please post Kaspersky results and a fresh DDS log back here :)
How's your PC working now?
Posted Image

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:54 PM

Posted 05 July 2009 - 04:30 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users