Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with nasty Malware "Antivirus System Pro"


  • This topic is locked This topic is locked
48 replies to this topic

#1 jbandtbone

jbandtbone

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 21 June 2009 - 12:51 PM

I'm posting this from my laptop, because I can't stay on your site or anyother site with the pc that is infected. It keeps changing stating that "Internet Explorer Warning-visiting this web site may harm your computer" ETC. I been looking in the area for removing tilitymalware guides and have tried to download the Malwarebytes Anti-Malware to remove this thing that has hyjacked my pc. It won't let me down laod so I put it on a fash card and got it installed on the pc, but now it won't run on the pc. I've tried Spy-bot and others but nothing will open and run. I'm real close to doing a complete re-install of XP, but I really don't to. I looked in the System Configuration Utility and found " Id08.exe and Sysguard.exe " in the start up tab and removed the checks and rebooted. I'm some what computer smart, but obviously stupid. Could use some help with this. Also in my searching for help I've read that the Id08.exe is really nasty and could have compromised my banking and credit card sites. I disable my internet conection as soon as the hyjacking started and have not tried to get on any sensitive websites since. Oh my ZONE Alarm failed me once again as it was up and running when this started. I can't get a HJT log because it won't run either. Anything that can help me would be appreciated. I got the DDS Log to work.


DDS (Ver_09-05-14.01) - NTFSx86
Run by jbandt at 13:05:09.34 on Sun 06/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2626 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\PROGRA~1\Webshots\webshots.scr
svchost
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe
C:\Documents and Settings\jbandt\Application Data\U3\026623163E41477D\LaunchPad.exe
K:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: N/A: {be89472c-b803-4d1d-9a9a-0a63660e0fe3} - c:\progra~1\copern~1\COPERN~1.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BHO: {26070ad0-cf3e-49be-8c83-85a63bfd36d5} - c:\windows\system32\iehelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
EB: Copernic Agent Results: {6f480f82-c3a6-4d35-96f7-b297ad49fbe8} - c:\program files\copernic agent\CopernicAgentExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [DLCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCJtime.dll,_RunDLLEntry@16
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\jbandt\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
Trusted Zone: 1stpeoplesbank.com\www
Trusted Zone: 1stpeoplesbankhb.com\www
Trusted Zone: excite.com\registration
Trusted Zone: excite.com\www
Trusted Zone: grc.com\www
Trusted Zone: keithandschnars.com\www
Trusted Zone: live.com\bl145w.blu145.mail
Trusted Zone: live.com\login
Trusted Zone: live.com\mail
Trusted Zone: msn.com\www
Trusted Zone: onlinecreditcenter6.com\www
Trusted Zone: sirius.com\www
Trusted Zone: state.fl.us\fdotnfuse.dot
Trusted Zone: techguy.org\www
Trusted Zone: virusvault.co.uk\www
Trusted Zone: yahoo.com\att.my
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://fdotnfuse.dot.state.fl.us/Citrix/ICAWEB/en/ica32/wficat.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://pbells.broadjump.com/wizlet/iw60/static/controls/WebflowActiveXInstaller_4-0-0.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://smartbalance.coupons.smartsource.com/download/cscmv5X.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120083437937
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121730826828
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://doliver.earthcam.net/viewer/AMC.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8D3314D6-5914-46C1-9F3D-9F14B6A305F1} - hxxp://www.mytpi.com/mytpi05/eval/ectuploader.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://hgtv1.view22.com/view22/app/view22rte.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxps://livewc01.custhelp.com/7550-b415h-quickenmedical/rnl/java/RntX.cab
DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} - hxxp://fdl.msn.com/public/investor/v13/ticker.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://www.paslc.org/acgm/f2_acgm.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: NameServer = 85.255.112.194,85.255.112.125
TCP: {23473EEF-A2C0-490E-A49D-93A5EB42419F} = 85.255.112.194,85.255.112.125
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-7-31 80512]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-7-31 70016]
S2 gupdate1c9c9186781a4fc;Google Update Service (gupdate1c9c9186781a4fc);c:\program files\google\update\GoogleUpdate.exe [2009-4-29 133104]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2006-3-16 36960]
S3 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe --> c:\progra~1\mcafee.com\agent\mctskshd.exe [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe --> c:\progra~1\mcafee.com\agent\mcupdmgr.exe [?]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\common files\hhd software\device monitor\NDMSHLP.sys [2005-5-24 7632]
S3 SerMon;Serial Monitor Filter Driver;c:\program files\hhd software\free serial port monitor\sermon.sys [2005-5-24 18432]
S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe --> c:\program files\mcafee.com\agent\mcdetect.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-06-18 21:25 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 21:25 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 22:38 <DIR> --d----- c:\docume~1\jbandt\applic~1\AVG8
2009-06-15 19:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 19:04 10,752 -------- c:\windows\system32\iehelper.dll
2009-06-14 18:54 <DIR> --d----- c:\windows\system32\796525
2009-06-14 18:54 308,240 -------- c:\windows\sysguard.exe
2009-06-14 18:54 25,088 ----h--- c:\windows\ld08.exe
2009-06-14 18:53 112,644 -------- c:\windows\msa.exe

==================== Find3M ====================

2009-06-11 21:12 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-13 19:04 34 -------- c:\documents and settings\jbandt\jagex_runescape_preferences.dat
2008-07-17 18:23 134,784 -------- c:\docume~1\jbandt\applic~1\GDIPFONTCACHEV1.DAT
2008-02-15 00:17 54,134 -------- c:\program files\INSTALL.LOG
2005-12-24 22:11 3,932 -------- c:\docume~1\jbandt\applic~1\LMLayout.dat
2005-12-24 22:11 268 -------- c:\docume~1\jbandt\applic~1\LMCPaper.dat
2008-08-31 10:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 13:06:45.32 ===============

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 23 June 2009 - 05:45 PM

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*********


If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a quick scan.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jbandtbone

jbandtbone
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 23 June 2009 - 08:26 PM

Thank you for your help. Here are the logs you asked for. I had to rename mbam to get it to run.
one other thing I thought that my zone alarm program was stopping malware from running so I had completly removed it, after reboot the windows security alert icon notified my that no virus protection was found. I'm still posting from a clean laptop until I know if I have that backdoor trojan on my pc. thanks again!

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
ESETOnlineScanner
McAfeeShredder
McAfeeShredder
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 55 seconds.
`````````End of Log```````````




Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/23/2009 9:07:10 PM
mbam-log-2009-06-23 (21-07-10).txt

Scan type: Quick Scan
Objects scanned: 94137
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\SYSTEM32\MSIVXvmwvmkxaagshewkvvilxdnsoorewkupy.dll (Spyware.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26070ad0-cf3e-49be-8c83-85a63bfd36d5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{26070ad0-cf3e-49be-8c83-85a63bfd36d5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{26070ad0-cf3e-49be-8c83-85a63bfd36d5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.194,85.255.112.125 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{23473eef-a2c0-490e-a49d-93a5eb42419f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.194,85.255.112.125 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.194,85.255.112.125 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{23473eef-a2c0-490e-a49d-93a5eb42419f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.194,85.255.112.125 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.194,85.255.112.125 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{23473eef-a2c0-490e-a49d-93a5eb42419f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.194,85.255.112.125 -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\SYSTEM32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
\\?\globalroot\systemroot\SYSTEM32\MSIVXvmwvmkxaagshewkvvilxdnsoorewkupy.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\WBEM\proquota.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 23 June 2009 - 09:27 PM

Hi jbandtbone,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java SE Runtime Environment 6 Update 1
    Java 6 Update 5
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed.
This is somewhat suicidal in today's digital world. :thumbup2:
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

Also post a fresh DDS log.

Edited by SifuMike, 23 June 2009 - 10:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jbandtbone

jbandtbone
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 23 June 2009 - 09:47 PM

The java download you wanted me to download isn't there, but this one is "Windows Offline Installation
jre-6u14-windows-i586.exe" should i down load it? Also I got my zone alam back on the pc and running a deep scan now. I'm on the infected pc now.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 23 June 2009 - 10:15 PM

Yes, download and install it.

Post the ZoneAlarm antivirus log when it completes.

Edited by SifuMike, 23 June 2009 - 10:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jbandtbone

jbandtbone
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 23 June 2009 - 10:22 PM

will do, but it will be tomorrow. got to get up by 5am eastern. be back on by 5pm. thanks so much. pc seem to be alright. zone alarm still scanning, but has 1 infection so far.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 23 June 2009 - 10:32 PM

Thats OK. Real life comes first. LOL
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jbandtbone

jbandtbone
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 24 June 2009 - 04:46 PM

Ok, Java has been update; old versions deleted.
I could not get HJT to run, it showed up in the task manager but, nothing happened.
here is theZA log:

ZoneAlarm Logging Client v8.0.400.020
Windows XP-5.1.2600-Service Pack 3-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
PE,2009/06/23,22:15:52 -4:00 GMT,Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,127.0.0.1:1072,N/A
PE,2009/06/23,22:15:52 -4:00 GMT,Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,208.43.87.2:80,N/A
AV/update,2009/06/23,22:16:58 -4:00 GMT,,Update Install Completed,Manual
FWOUT,2009/06/23,22:17:42 -4:00 GMT,192.168.1.64:1094,199.7.71.190:80,TCP (flags:S)
,2009/06/23,22:18:16 -4:00 GMT,
ZLUpdate,2009/06/23,22:18:18 -4:00 GMT,,,Manual
LOCK,2009/06/23,22:19:18 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
AV/treatment,2009/06/23,22:19:38 -4:00 GMT,,\\?\globalroot\systemroot\system32\msivxvmwvmkxaagshewkvvilxdnsoorewkupy.dll,Infected,Manual
,2009/06/23,22:19:38 -4:00 GMT,
LOCK,2009/06/23,22:20:12 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/23,22:20:12 -4:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2009/06/23,23:24:54 -4:00 GMT,Generic Host Process for Win32 Services,239.255.255.250,N/A
LOCK,2009/06/23,23:24:56 -4:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2009/06/23,23:25:02 -4:00 GMT,Generic Host Process for Win32 Services,127.0.0.1,N/A
LOCK,2009/06/23,23:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/23,23:35:26 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,00:08:52 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,00:08:52 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,00:18:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,00:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,00:50:08 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,01:08:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,01:18:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
AV/scan,2009/06/24,01:22:06 -4:00 GMT,Multiple Files,Scan Completed,Manual
LOCK,2009/06/24,01:23:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,01:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,01:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,01:33:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,01:35:18 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,02:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,02:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,02:33:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,02:35:30 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,03:08:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,03:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,03:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,03:50:12 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,04:13:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,04:18:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,04:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,04:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,04:50:24 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,05:23:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,05:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,05:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,05:33:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,06:05:06 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,06:23:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,06:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,06:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,06:38:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,07:05:16 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,07:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,07:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,07:33:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,07:38:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,08:05:28 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,08:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,08:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,08:38:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,08:43:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,09:20:10 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,09:27:28 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,09:28:54 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,09:43:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,09:53:54 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,10:20:22 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,10:21:10 -4:00 GMT,Internet Explorer,127.0.0.1,N/A
PE,2009/06/24,10:22:30 -4:00 GMT,Generic Host Process for Win32 Services,C:\WINDOWS\SYSTEM32\svchost.exe,0.0.0.0:135,N/A
,2009/06/24,10:22:44 -4:00 GMT,
LOCK,2009/06/24,10:35:12 -4:00 GMT,Generic Host Process for Win32 Services,239.255.255.250,N/A
LOCK,2009/06/24,10:35:14 -4:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2009/06/24,10:35:20 -4:00 GMT,Generic Host Process for Win32 Services,127.0.0.1,N/A
LOCK,2009/06/24,10:35:26 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,10:38:10 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,11:38:10 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,11:50:08 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,12:23:58 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,12:28:58 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,12:38:10 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,12:50:18 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,13:23:58 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,13:33:58 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,13:38:10 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,13:38:58 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,13:50:30 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,14:23:58 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,14:38:10 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,14:43:58 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,15:05:12 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,15:13:58 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,15:23:58 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,15:38:10 -4:00 GMT,Generic Host Process for Win32 Services,213.163.64.81,N/A
LOCK,2009/06/24,15:53:58 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.90,N/A
LOCK,2009/06/24,16:05:24 -4:00 GMT,Microsoft Feeds Synchronization,127.0.0.1,N/A
LOCK,2009/06/24,16:23:58 -4:00 GMT,Generic Host Process for Win32 Services,213.133.110.21,N/A
LOCK,2009/06/24,16:28:58 -4:00 GMT,Generic Host Process for Win32 Services,78.46.213.89,N/A
LOCK,2009/06/24,16:34:08 -4:00 GMT,Generic Host Process for Win32 Services,255.255.255.255,N/A
LOCK,2009/06/24,16:34:12 -4:00 GMT,Generic Host Process for Win32 Services,,N/A
AV/treatment,2009/06/24,16:44:12 -4:00 GMT,,\\?\globalroot\systemroot\system32\msivxvmwvmkxaagshewkvvilxdnsoorewkupy.dll,Infected,Manual
,2009/06/24,16:44:12 -4:00 GMT,


DDS log;


DDS (Ver_09-05-14.01) - NTFSx86
Run by jbandt at 17:37:39.76 on Wed 06/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2597 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\jbandt\Application Data\U3\026623163E41477D\LaunchPad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
K:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: N/A: {be89472c-b803-4d1d-9a9a-0a63660e0fe3} - c:\progra~1\copern~1\COPERN~1.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Copernic Agent Results: {6f480f82-c3a6-4d35-96f7-b297ad49fbe8} - c:\program files\copernic agent\CopernicAgentExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [DLCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCJtime.dll,_RunDLLEntry@16
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\jbandt\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: 1stpeoplesbank.com\www
Trusted Zone: 1stpeoplesbankhb.com\www
Trusted Zone: excite.com\registration
Trusted Zone: excite.com\www
Trusted Zone: grc.com\www
Trusted Zone: keithandschnars.com\www
Trusted Zone: live.com\bl145w.blu145.mail
Trusted Zone: live.com\login
Trusted Zone: live.com\mail
Trusted Zone: msn.com\www
Trusted Zone: onlinecreditcenter6.com\www
Trusted Zone: sirius.com\www
Trusted Zone: state.fl.us\fdotnfuse.dot
Trusted Zone: techguy.org\www
Trusted Zone: virusvault.co.uk\www
Trusted Zone: yahoo.com\att.my
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://fdotnfuse.dot.state.fl.us/Citrix/ICAWEB/en/ica32/wficat.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -

hxxps://pbells.broadjump.com/wizlet/iw60/static/controls/WebflowActiveXInstaller_4-0-0.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://smartbalance.coupons.smartsource.com/download/cscmv5X.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120083437937
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121730826828
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://doliver.earthcam.net/viewer/AMC.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8D3314D6-5914-46C1-9F3D-9F14B6A305F1} - hxxp://www.mytpi.com/mytpi05/eval/ectuploader.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://hgtv1.view22.com/view22/app/view22rte.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxps://livewc01.custhelp.com/7550-b415h-quickenmedical/rnl/java/RntX.cab
DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} - hxxp://fdl.msn.com/public/investor/v13/ticker.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://www.paslc.org/acgm/f2_acgm.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-6-23 150544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-23 365448]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24

102400]
R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-7-31 80512]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-7-31 70016]
S2 gupdate1c9c9186781a4fc;Google Update Service (gupdate1c9c9186781a4fc);c:\program files\google\update\GoogleUpdate.exe

[2009-4-29 133104]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32

\zonelabs\vsmon.exe -service [?]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2006-

3-16 36960]
S3 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe --> c:\progra~1\mcafee.com\agent\mctskshd.exe

[?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe --> c:\progra~1

\mcafee.com\agent\mcupdmgr.exe [?]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\common files\hhd software\device monitor\NDMSHLP.sys [2005-5-24

7632]
S3 SerMon;Serial Monitor Filter Driver;c:\program files\hhd software\free serial port monitor\sermon.sys [2005-5-24 18432]
S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe --> c:\program

files\mcafee.com\agent\mcdetect.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-06-24 17:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-24 17:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-23 22:09 <DIR> --d----- c:\docume~1\jbandt\applic~1\MailFrontier
2009-06-23 21:57 72,584 a------- c:\windows\zllsputility.exe
2009-06-23 21:56 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-06-23 21:56 415,148 a------- c:\windows\system32\vsconfig.xml
2009-06-18 21:25 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 21:25 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 22:38 <DIR> --d----- c:\docume~1\jbandt\applic~1\AVG8
2009-06-15 19:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-06-23 22:02 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-13 19:04 34 -------- c:\documents and settings\jbandt\jagex_runescape_preferences.dat
2008-07-17 18:23 134,784 -------- c:\docume~1\jbandt\applic~1\GDIPFONTCACHEV1.DAT
2008-02-15 00:17 54,134 -------- c:\program files\INSTALL.LOG
2005-12-24 22:11 3,932 -------- c:\docume~1\jbandt\applic~1\LMLayout.dat
2005-12-24 22:11 268 -------- c:\docume~1\jbandt\applic~1\LMCPaper.dat
2008-08-31 10:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5

\mshist012008083120080901\index.dat

============= FINISH: 17:39:13.03 ===============

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 24 June 2009 - 05:09 PM

Hi jbandtbone,

Occasionally malware hides itself from HijackThis.
Navigate to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file.
Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter
Scan with HijackThis (fluffybunny.exe) again and post a new HijackThis log..


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your ZoneAlarm Security Suite Antivirus
before running ComboFix, as it will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jbandtbone

jbandtbone
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 24 June 2009 - 06:50 PM

ok I read everything for combo fix, on the laptop now, dbl clicked the security warning came up clicked run and nothing else. been a good 5-10 min.

#12 jbandtbone

jbandtbone
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 24 June 2009 - 07:14 PM

I should have given you the HJT log before. Also auto updates wants to install IE 8 for windows.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:55 PM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 antispyware.microsoft.com
O1 - Hosts: 209.44.111.57 2009antivirpro.com
O1 - Hosts: 209.44.111.57 www.2009antivirpro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.1stpeoplesbank.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://www.excite.com
O15 - Trusted Zone: http://www.grc.com
O15 - Trusted Zone: http://bl145w.blu145.mail.live.com
O15 - Trusted Zone: http://login.live.com
O15 - Trusted Zone: http://mail.live.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.sirius.com
O15 - Trusted Zone: http://www.techguy.org
O15 - Trusted Zone: http://www.virusvault.co.uk
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://fdotnfuse.dot.state.fl.us/Citrix/IC...ca32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - http://smartbalance.coupons.smartsource.co...oad/cscmv5X.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120083437937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121730826828
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://doliver.earthcam.net/viewer/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8D3314D6-5914-46C1-9F3D-9F14B6A305F1} (eCTUploader Control) - http://www.mytpi.com/mytpi05/eval/ectuploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv1.view22.com/view22/app/view22rte.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7550-b415h-qu...l/java/RntX.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.paslc.org/acgm/f2_acgm.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: Google Update Service (gupdate1c9c9186781a4fc) (gupdate1c9c9186781a4fc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 9935 bytes

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 24 June 2009 - 09:19 PM

Hi jbandtbone,

We will restore the default hosts file back onto your machine.

Download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program


ok I read everything for combo fix, on the laptop now, dbl clicked the security warning came up clicked run and nothing else. been a good 5-10 min



Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If it does not complete after 25 minutes let me know and we will run it another way.

Also auto updates wants to install IE 8 for windows.



Let it install IE8, as it is safer than IE7.

Edited by SifuMike, 24 June 2009 - 09:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 jbandtbone

jbandtbone
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 24 June 2009 - 10:18 PM

When I said it didn't do anything I meant the next window didn't open as in the instructional page. I remember about the drive light, wasn't flashing. Now the hostsxpert I ran it but, this is what I got. [attachment=23862:New_Micr...ment__2_.doc]

I'll let the update install tonight. thanks again for you patience.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 24 June 2009 - 10:33 PM

Hi jbandtbone,

Not to worry, we can fix the hosts file manually.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users