Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Antivirus program, referred to this thread


  • This topic is locked This topic is locked
33 replies to this topic

#1 fredp333

fredp333

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 10 August 2009 - 05:24 PM

Hello,

Elise025 advised me to start a new topic in this thread. Here is a link to the original thread.

http://www.bleepingcomputer.com/forums/topic248028-15.html



I had a malware attack (rogue antivirus program) that disabled my access to the TaskManager, kept me from restarting in safe mode, interrupted my web browsing, brought up pop-up windows, changed my desktop background, and prevented me from running anti-malware software. After several steps, my computer is functioning again but there are some issues with RootRepeal that elise thought may indicate a larger problem. Here is the DDS log, as per the instructions. Thank you in advance, you guys are really helping me out.



DDS (Ver_09-07-30.01) - NTFSx86
Run by Fredo at 15:19:01.00 on Mon 08/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.619 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fredo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cnn.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpyDefender Shield] "c:\program files\spydefender pro\SpyDefender.exe" --scan2
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [DW4] "c:\program files\the weather channel fw\desktop weather\DesktopWeather.exe"
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Aim6]
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\winlogon.exe.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - {2151DA8C-C5B6-4B4F-86AB-BDA449BF8747} - c:\program files\evernote\evernote\enbar.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
LSP: c:\windows\system32\lsp.dll
Trusted Zone: barbri.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fredo\applic~1\mozilla\firefox\profiles\16e6bgpu.default\
FF - prefs.js: browser.startup.homepage - drudgereport.com
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-17 24652]
RUnknown uouml;uouml; [x]
S0 qbcd77a;qbcd77a;\SystemRoot\\SystemRoot\System32\drivers\qbcd77a.sys --> \SystemRoot\\SystemRoot\System32\drivers\qbcd77a.sys [?]
S1 3e5d9b92.sys;3e5d9b92.sys;\??\c:\windows\system32\drivers\3e5d9b92.sys --> c:\windows\system32\drivers\3e5d9b92.sys [?]

=============== Created Last 30 ================

2009-08-09 13:14 <DIR> --d----- c:\program files\ESET
2009-08-09 11:58 61,440 a------- c:\windows\system32\drivers\bpopjxcn.sys
2009-08-09 09:09 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 09:04 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-09 00:41 0 a------- c:\documents and settings\fredo\settings.dat
2009-08-08 22:52 <DIR> --d----- c:\windows\pss
2009-08-08 22:16 45,344 a------- c:\windows\system32\drivers\qbcd77a.sys
2009-08-08 22:00 1,110,399 a------- c:\windows\system32\UACmuhhonoeoi.db
2009-08-08 21:49 1,234,573 a------- c:\windows\system32\xa.tmp
2009-08-08 07:57 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-07 01:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-07 01:05 <DIR> --d----- C:\2adae3b46dbe3411e45b59
2009-08-07 01:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-07 01:05 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 01:05 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 01:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-07 01:05 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 01:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-07 01:05 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-24 20:04 <DIR> --d----- c:\program files\iPod
2009-07-24 20:04 <DIR> --d----- c:\program files\iTunes
2009-07-17 01:25 <DIR> --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2009-08-09 11:58 1,992 a------- c:\program files\yowe.txt
2009-08-01 14:32 36,810 a------- c:\docume~1\fredo\applic~1\wklnhst.dat
2009-07-30 16:55 414,361 a------- c:\windows\jgzr.dat
2009-07-19 06:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 06:32 6,067,200 a------- c:\windows\system32\dllcache\ieframe.dll
2009-06-29 04:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 04:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 01:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 01:33 2,452,872 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 01:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-13 01:46 183,296 a------- c:\windows\system32\lsp.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 14:01 88,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-03-10 10:37 88 ---shr-- c:\windows\system32\D463159AE5.sys
2008-03-10 10:37 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:19:56.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:30 PM

Posted 15 August 2009 - 12:13 PM

Hello fredp333,

What antiviurs program do you have installed?


Uninstall Ad-Aware SE Personal and Spybot - Search & Destroy 1.4, as they are ancient.

Please download, update and run (one at a time of course!)
Spybot 1.6.2.46 and Ad-Aware Free

************************


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 6
    Java 6 Update 3
    Java 6 Update 5

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
************************

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

************************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

************************

Please do this:
1. Download HijackThis here:
http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.
Please post it.

Edited by SifuMike, 15 August 2009 - 12:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 15 August 2009 - 10:38 PM

Hi, thanks for responding.

I am having trouble completing everything you recommend. I keep getting blue-screen error messages after installing the java update or copying/pasting the log from SecurityCheck. When I try to report the error to microsoft it tells me the error file is corrupt. Not fun times over here.

I have been running AVG-free for years now, but looking at my programs I can't find it installed.

I deleted spybot and ad-aware, and got rid of viewpoint successfully, but I'm having trouble with securitycheck. I'll try to paste the log into a reply now, and will do a hijackthis log separately.

#4 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 15 August 2009 - 10:39 PM

Results of screen317's Security Check version 0.98.8
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!


WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 15
Adobe Flash Player 10
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent



``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

#5 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 15 August 2009 - 10:41 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:47 PM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 antispyware.microsoft.com
O1 - Hosts: 209.44.111.57 2009antivirpro.com
O1 - Hosts: 209.44.111.57 www.2009antivirpro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6930 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:30 PM

Posted 15 August 2009 - 10:56 PM

Hi fredp333,

Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: 209.44.111.57 antispyware.microsoft.com
O1 - Hosts: 209.44.111.57 2009antivirpro.com
O1 - Hosts: 209.44.111.57 www.2009antivirpro.com
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


Close all browsers and other windows except for HijackThis, and click "Fix checked"



Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 16 August 2009 - 11:58 AM

Here is a new log. When I tried to reboot after deleting the files you suggested, the computer would not completely shut down, so I had to manually shut it down using the power button. Otherwise seems to be running ok, the security center is running now (which it wasn't before) so I think that's a good sign.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:21 AM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7339 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:30 PM

Posted 16 August 2009 - 12:14 PM

Hi fredp333,

Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.



Uninstall SpyDefender Pro

Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2


Close all browsers and other windows except for HijackThis, and click "Fix checked"

*******************************************

Make sure Firefox and Internet Exlplorer browsers are closed before running OTM.

Download and Run OTM
  • Please download OTM by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the OTM.exe icon on your desktop.
  • Paste the following code under the Posted Image (Paste Instructions for Items to be Moved) area. Do not include the word "Code".
    :files
    C:\Program Files\SpyDefender Pro
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image (MoveIT!) button.
  • Copy/Paste the contents under the Posted Image (Results) line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


*******************************************


Reboot your computer


Post the Hijackthis log, OTM log.


You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

AVAST Home Edition User Guide
http://www.avast.com/eng/download-avast-home.html

Avira AntiVir User Manual
http://www.free-av.com/en/documentation/index.html

AVG antivirus User Manual
http://free.avg.com/ww.download?prd=afe#tba3

Let me know what the antivirus finds. Post the Antivirus log.

Edited by SifuMike, 16 August 2009 - 12:26 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 16 August 2009 - 12:42 PM

Hi,

Here are the logs you requested. While I was playing a game full-screen the program kept minimizing but I can't figure out why. Also, last night I was performing some of the fixes you recommended and I would get notices that a broswer was running. I clicked "show list of browsers" and internet explorer, which I don't use anymore, was running. I couldn't find it in task manager and it wasn't in my taskbar.

OTM Log:

All processes killed
========== FILES ==========
File/Folder C:\Program Files\SpyDefender Pro not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 2982117 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Fredo
->Temp folder emptied: 1582561 bytes
File delete failed. C:\Documents and Settings\Fredo\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 40393589 bytes
->Java cache emptied: 28361067 bytes
->FireFox cache emptied: 45450801 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 113.32 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08162009_103707

Files moved on Reboot...

Registry entries deleted on Reboot...


HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:12 AM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7287 bytes

Going to install AVG and post its log in a new reply. Thanks again,

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:30 PM

Posted 16 August 2009 - 01:09 PM

Hi Fred,

OK, the AVG scan should show us more.

I think you have a rootkit on this computer, so we will need to run several more tools.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 16 August 2009 - 03:15 PM

Hello,

I can't find any way to get a log off of AVG. I ran a full scan and it found 4 infections, I have pasted the results from the "infections" tab here. If there is a way to copy/paste a logfile, please advise me how to do that. When the scan was done internet explorer was open (I could see it this time) and had about 20 tabs open. The one on top was for some online casino that I've never heard of.


"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\07KVS14F\exe[1].exe";"Trojan horse Downloader.Small.GHE";"Moved to Virus Vault"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\07KVS14F\static[1].exe";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4FS987UB\Z[1].exe";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CRCX2XE3\install[1].exe";"Trojan horse SHeur2.AVJL";"Moved to Virus Vault"


Hope this helps otherwise let me know and I'll get another antivirus that has a log or just re-scan with AVG if I know how to access the log.

Thanks,

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:30 PM

Posted 16 August 2009 - 04:36 PM

Hi fredp333,

I have seen enough of the AVG log.


You have a rootkit so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 17 August 2009 - 10:35 PM

Hello, sorry for the delay in replying. Here is the log as requested.

Thanks,


ComboFix 09-08-10.06 - Fredo 08/17/2009 20:15.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.556 [GMT -7:00]
Running from: c:\documents and settings\Fredo\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Fredo\LOCALS~1\Temp\catchme.dll
c:\documents and settings\Fredo\Local Settings\Temp\catchme.dll
c:\windows\Installer\62a8bd9.msi
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\lsp.dll
c:\windows\system32\MabryObj.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETnvpexmql
-------\Legacy_SKYNETokwxfira
-------\Legacy_UACd.sys
-------\Service_SKYNETnvpexmql
-------\Service_SKYNETokwxfira
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-16 17:50 . 2009-08-16 17:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 17:50 . 2009-08-16 17:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-16 17:50 . 2009-08-16 17:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 17:50 . 2009-08-16 17:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 17:49 . 2009-08-18 03:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-16 17:49 . 2009-08-16 17:49 -------- d-----w- c:\program files\AVG
2009-08-16 17:49 . 2009-08-16 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-16 17:43 . 2009-08-16 17:43 -------- d-----w- c:\documents and settings\Fredo\Application Data\AVG8
2009-08-16 17:37 . 2009-08-16 17:37 -------- d-----w- C:\_OTM
2009-08-16 04:02 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-16 03:53 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-16 03:51 . 2009-08-16 03:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 03:51 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-16 03:51 . 2009-08-16 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-16 03:51 . 2009-08-16 03:51 -------- d-----w- c:\program files\Lavasoft
2009-08-16 03:40 . 2009-08-16 03:40 -------- d-----w- c:\program files\Trend Micro
2009-08-16 03:18 . 2009-08-16 03:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-16 03:15 . 2009-08-16 03:15 152576 ----a-w- c:\documents and settings\Fredo\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-12 03:41 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-09 20:14 . 2009-08-09 20:14 -------- d-----w- c:\program files\ESET
2009-08-09 16:09 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 16:04 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 07:41 . 2009-08-09 07:41 0 ----a-w- c:\documents and settings\Fredo\settings.dat
2009-08-09 05:16 . 2009-08-09 05:16 45344 ----a-w- c:\windows\system32\drivers\qbcd77a.sys
2009-08-07 08:06 . 2009-08-07 08:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-07 08:06 . 2009-08-07 08:06 -------- d-----w- c:\program files\MSBuild
2009-08-07 08:06 . 2009-08-07 08:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 08:05 . 2009-08-07 08:05 -------- d-----w- C:\2adae3b46dbe3411e45b59
2009-08-07 08:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 08:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 08:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 08:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 08:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 08:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 08:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 03:04 . 2009-07-25 03:04 -------- d-----w- c:\program files\iPod
2009-07-25 03:04 . 2009-07-25 03:05 -------- d-----w- c:\program files\iTunes
2009-07-25 01:39 . 2009-07-25 01:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 04:55 . 2006-09-27 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 04:05 . 2006-09-27 00:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-16 03:17 . 2006-09-19 08:35 -------- d-----w- c:\program files\Java
2009-08-16 03:09 . 2006-09-19 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-16 03:08 . 2006-10-25 17:08 -------- d-----w- c:\documents and settings\Fredo\Application Data\Lavasoft
2009-08-14 19:24 . 2006-09-26 20:39 36858 ----a-w- c:\documents and settings\Fredo\Application Data\wklnhst.dat
2009-08-09 16:15 . 2009-06-03 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 05:01 . 2006-09-26 20:06 65960 ----a-w- c:\documents and settings\Fredo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 16:55 . 2007-11-26 19:37 -------- d-----w- c:\program files\World of Warcraft
2009-08-01 21:27 . 2008-05-06 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Examsoft
2009-07-30 23:55 . 2008-05-06 06:48 414361 ----a-w- c:\windows\jgzr.dat
2009-07-25 03:04 . 2009-06-02 20:27 -------- d-----w- c:\program files\Common Files\Apple
2009-07-25 01:35 . 2008-02-04 15:08 -------- d-----w- c:\documents and settings\Fredo\Application Data\SUPERAntiSpyware.com
2009-07-25 01:35 . 2008-02-04 15:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-25 01:09 . 2008-02-04 15:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:22 . 2009-07-13 21:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 17:08 . 2005-08-16 09:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 07:56 . 2009-07-04 19:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-04 19:52 . 2009-07-04 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\GameHouse
2009-07-04 18:43 . 2009-07-04 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-07-04 18:43 . 2009-07-04 18:43 -------- d-----w- c:\documents and settings\Fredo\Application Data\PlayFirst
2009-07-04 18:43 . 2009-07-04 18:42 1339392 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\dinerdash\game\diner dash.exe
2009-07-04 18:43 . 2009-07-04 18:42 589824 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\dinerdash\diner dash.exe
2009-07-04 18:43 . 2009-07-04 18:42 581632 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\dinerdash\adapter.exe
2009-07-04 18:42 . 2009-07-04 18:42 249856 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\components\pfMultiplayer.dll
2009-07-04 18:42 . 2009-07-04 18:42 466944 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\pfHarness\pfHarness.dll
2009-06-29 16:12 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-06-13 16:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 11:16 . 2009-07-04 19:49 1781760 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\delicious-emilys-fame\DeliciousEmilysFame.exe
2009-06-25 11:16 . 2009-07-04 19:49 3710976 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\delicious-emilys-fame\game\DeliciousEmilysFame.exe
2009-06-17 21:50 . 2009-07-04 18:42 139264 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\PlayFirst.EXE
2009-06-16 14:36 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 23:23 . 2009-07-04 19:49 57344 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\delicious-emilys-fame\pfinstall.dll
2009-06-12 12:31 . 2005-08-16 09:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 09:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 23:10 . 2009-06-10 23:10 1915520 ----a-w- c:\documents and settings\Fredo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-10 16:19 . 2005-08-16 09:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 09:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 09:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 09:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 21:01 . 2005-08-16 09:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-03-10 17:37 . 2006-10-18 17:20 88 --sh--r- c:\windows\system32\D463159AE5.sys
2008-03-10 17:37 . 2006-10-18 17:20 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-01-02 22:41 . 2006-01-02 22:41 45056 c:\program files\ATI Technologies\ATI.ACE\bak\cli.exe

2006-05-10 00:24 . 2006-05-10 00:24 50760 c:\program files\Common Files\AOL\1159373554\ee\bak\AOLSoftware.exe

2006-02-17 16:59 . 2006-02-17 16:59 124520 c:\program files\Common Files\AOL\IPHSend\bak\IPHSend.exe

2005-06-10 15:44 . 2005-06-10 15:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2005-06-10 15:44 . 2005-06-10 15:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2006-09-19 08:45 . 2005-12-10 01:29 49152 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2006-07-17 02:29 . 2006-07-17 02:29 389120 c:\program files\Dell Support\bak\DSAgnt.exe

2007-03-05 21:57 . 2007-03-05 21:57 1103480 c:\program files\Download Manager\bak\DLM.exe

2009-02-26 21:59 . 2009-02-26 22:59 329728 c:\program files\ExamSoft\SofTest\bak\01_04078-CalBar_2-09_PT-B-090226_64.bak

2009-02-26 21:59 . 2009-02-26 23:31 368640 c:\program files\ExamSoft\SofTest\bak\02_04078-CalBar_2-09_PT-B-090226_96.bak

2009-02-26 21:59 . 2009-02-27 00:03 428032 c:\program files\ExamSoft\SofTest\bak\03_04078-CalBar_2-09_PT-B-090226_128.bak

2009-02-26 21:59 . 2009-02-27 00:35 475136 c:\program files\ExamSoft\SofTest\bak\04_04078-CalBar_2-09_PT-B-090226_160.bak

2009-02-26 21:59 . 2009-02-27 00:55 522240 c:\program files\ExamSoft\SofTest\bak\05_04078-CalBar_2-09_PT-B-090226_FinalClose.bak

2009-02-26 21:59 . 2009-02-27 00:55 522240 c:\program files\ExamSoft\SofTest\bak\06_CalBar_2-09_PT-B04078_FinalRestart.bak

2009-07-22 23:47 . 2009-07-22 23:47 301056 c:\program files\ExamSoft\SofTest\bak\07_09746-MOCKEXAM-090722_FinalClose.bak

2009-07-22 23:47 . 2009-07-22 23:47 301056 c:\program files\ExamSoft\SofTest\bak\08_MOCKEXAM09746_FinalRestart.bak

2009-07-28 16:53 . 2009-07-28 17:21 430080 c:\program files\ExamSoft\SofTest\bak\09_09746-CalBar_7-09_Q1-3-090728_32.bak

2009-07-28 16:53 . 2009-07-28 17:53 448512 c:\program files\ExamSoft\SofTest\bak\10_09746-CalBar_7-09_Q1-3-090728_64.bak

2009-07-28 16:53 . 2009-07-28 18:25 468992 c:\program files\ExamSoft\SofTest\bak\11_09746-CalBar_7-09_Q1-3-090728_96.bak

2009-07-28 16:53 . 2009-07-28 18:57 499712 c:\program files\ExamSoft\SofTest\bak\12_09746-CalBar_7-09_Q1-3-090728_128.bak

2009-07-28 16:53 . 2009-07-28 19:21 520192 c:\program files\ExamSoft\SofTest\bak\13_09746-CalBar_7-09_Q1-3-090728_FinalClose.bak

2009-07-28 16:53 . 2009-07-28 19:21 520192 c:\program files\ExamSoft\SofTest\bak\14_CalBar_7-09_Q1-309746_FinalRestart.bak

2009-07-28 21:11 . 2009-07-28 21:39 305152 c:\program files\ExamSoft\SofTest\bak\15_09746-CalBar_7-09_PT-A-090728_32.bak

2009-07-28 21:11 . 2009-07-28 22:11 319488 c:\program files\ExamSoft\SofTest\bak\16_09746-CalBar_7-09_PT-A-090728_64.bak

2009-07-28 21:11 . 2009-07-28 22:43 337920 c:\program files\ExamSoft\SofTest\bak\17_09746-CalBar_7-09_PT-A-090728_96.bak

2009-07-28 21:11 . 2009-07-28 23:15 366592 c:\program files\ExamSoft\SofTest\bak\18_09746-CalBar_7-09_PT-A-090728_128.bak

2009-07-28 21:11 . 2009-07-28 23:47 401408 c:\program files\ExamSoft\SofTest\bak\19_09746-CalBar_7-09_PT-A-090728_160.bak

2009-07-28 21:11 . 2009-07-29 00:03 417792 c:\program files\ExamSoft\SofTest\bak\20_09746-CalBar_7-09_PT-A-090728_FinalClose.bak

2009-07-28 21:11 . 2009-07-29 00:03 417792 c:\program files\ExamSoft\SofTest\bak\21_CalBar_7-09_PT-A09746_FinalRestart.bak

2009-07-30 15:46 . 2009-07-30 16:14 434176 c:\program files\ExamSoft\SofTest\bak\22_09746-CalBar_7-09_Q4-6-090730_32.bak

2009-07-30 15:46 . 2009-07-30 16:46 462848 c:\program files\ExamSoft\SofTest\bak\23_09746-CalBar_7-09_Q4-6-090730_64.bak

2009-07-30 15:46 . 2009-07-30 17:18 483328 c:\program files\ExamSoft\SofTest\bak\24_09746-CalBar_7-09_Q4-6-090730_96.bak

2009-07-30 15:46 . 2009-07-30 17:50 512000 c:\program files\ExamSoft\SofTest\bak\25_09746-CalBar_7-09_Q4-6-090730_128.bak

2009-07-30 15:46 . 2009-07-30 18:22 552960 c:\program files\ExamSoft\SofTest\bak\26_09746-CalBar_7-09_Q4-6-090730_160.bak

2009-07-30 15:46 . 2009-07-30 18:38 602112 c:\program files\ExamSoft\SofTest\bak\27_09746-CalBar_7-09_Q4-6-090730_FinalClose.bak

2009-07-30 15:46 . 2009-07-30 18:38 602112 c:\program files\ExamSoft\SofTest\bak\28_CalBar_7-09_Q4-609746_FinalRestart.bak

2009-07-30 21:00 . 2009-07-30 21:28 307200 c:\program files\ExamSoft\SofTest\bak\29_09746-CalBar_7-09_PT-B-090730_32.bak

2009-07-30 21:00 . 2009-07-30 22:00 329728 c:\program files\ExamSoft\SofTest\bak\30_09746-CalBar_7-09_PT-B-090730_64.bak

2009-07-30 21:00 . 2009-07-30 22:32 364544 c:\program files\ExamSoft\SofTest\bak\31_09746-CalBar_7-09_PT-B-090730_96.bak

2009-07-30 21:00 . 2009-07-30 23:04 397312 c:\program files\ExamSoft\SofTest\bak\32_09746-CalBar_7-09_PT-B-090730_128.bak

2009-07-30 21:00 . 2009-07-30 23:36 434176 c:\program files\ExamSoft\SofTest\bak\33_09746-CalBar_7-09_PT-B-090730_160.bak

2009-07-30 21:00 . 2009-07-30 23:52 452608 c:\program files\ExamSoft\SofTest\bak\34_09746-CalBar_7-09_PT-B-090730_FinalClose.bak

2009-02-24 17:10 . 2009-02-24 20:06 710656 c:\program files\ExamSoft\SofTest\bak\35_CalBar_2-09_Q1-304078_FinalRestart.bak

2009-02-24 22:03 . 2009-02-24 22:31 301056 c:\program files\ExamSoft\SofTest\bak\36_04078-CalBar_2-09_PT-A-090224_32.bak

2009-02-24 22:03 . 2009-02-24 23:03 317440 c:\program files\ExamSoft\SofTest\bak\37_04078-CalBar_2-09_PT-A-090224_64.bak

2009-02-24 22:03 . 2009-02-24 23:36 350208 c:\program files\ExamSoft\SofTest\bak\38_04078-CalBar_2-09_PT-A-090224_96.bak

2009-02-24 22:03 . 2009-02-25 00:08 380928 c:\program files\ExamSoft\SofTest\bak\39_04078-CalBar_2-09_PT-A-090224_128.bak

2009-02-24 22:03 . 2009-02-25 00:40 417792 c:\program files\ExamSoft\SofTest\bak\40_04078-CalBar_2-09_PT-A-090224_160.bak

2009-02-24 22:03 . 2009-02-25 01:00 438272 c:\program files\ExamSoft\SofTest\bak\41_04078-CalBar_2-09_PT-A-090224_FinalClose.bak

2009-02-24 22:03 . 2009-02-25 01:00 438272 c:\program files\ExamSoft\SofTest\bak\42_CalBar_2-09_PT-A04078_FinalRestart.bak

2009-02-26 16:48 . 2009-02-26 17:16 524288 c:\program files\ExamSoft\SofTest\bak\43_04078-CalBar_2-09_Q4-6-090226_32.bak

2009-02-26 16:48 . 2009-02-26 17:48 548864 c:\program files\ExamSoft\SofTest\bak\44_04078-CalBar_2-09_Q4-6-090226_64.bak

2009-02-26 16:48 . 2009-02-26 18:20 583680 c:\program files\ExamSoft\SofTest\bak\45_04078-CalBar_2-09_Q4-6-090226_96.bak

2009-02-26 16:48 . 2009-02-26 18:52 608256 c:\program files\ExamSoft\SofTest\bak\46_04078-CalBar_2-09_Q4-6-090226_128.bak

2009-02-26 16:48 . 2009-02-26 19:24 643072 c:\program files\ExamSoft\SofTest\bak\47_04078-CalBar_2-09_Q4-6-090226_160.bak

2009-02-26 16:48 . 2009-02-26 19:44 694272 c:\program files\ExamSoft\SofTest\bak\48_04078-CalBar_2-09_Q4-6-090226_FinalClose.bak

2009-02-26 16:48 . 2009-02-26 19:44 694272 c:\program files\ExamSoft\SofTest\bak\49_CalBar_2-09_Q4-604078_FinalRestart.bak

2009-02-26 21:59 . 2009-02-26 22:27 307200 c:\program files\ExamSoft\SofTest\bak\50_04078-CalBar_2-09_PT-B-090226_32.bak

2007-02-25 04:45 . 2007-12-23 21:53 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2006-05-01 14:28 . 2006-05-01 14:28 602182 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe

2006-05-01 14:28 . 2006-05-01 14:28 667718 c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe

2006-09-19 08:58 . 2005-07-13 00:05 1117184 c:\program files\McAfee\SpamKiller\bak\MSKDetct.exe

2006-09-19 08:49 . 2006-09-19 08:49 98304 c:\program files\QuickTime\bak\qttask.exe
2009-05-27 00:18 . 2009-05-27 00:18 413696 c:\program files\QuickTime\QTTask.exe

2006-09-19 08:39 . 2006-03-08 16:48 761947 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2007-01-09 17:55 . 2006-10-30 20:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\bak\DesktopWeather.exe

2005-08-16 09:37 . 2005-09-29 19:01 67584 c:\windows\ehome\bak\ehtray.exe

2005-08-16 09:18 . 2004-08-10 10:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 09:18 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2006-09-19 08:49 . 2004-12-06 06:05 127035 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [N/A]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [N/A]
"DW4"="c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [N/A]
"DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [N/A]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [N/A]
"Aim6"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-19 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 17:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/15/2009 8:53 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2009 10:50 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2009 10:50 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2009 10:49 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S0 qbcd77a;qbcd77a;\SystemRoot\\SystemRoot\System32\drivers\qbcd77a.sys --> \SystemRoot\\SystemRoot\System32\drivers\qbcd77a.sys [?]
S1 3e5d9b92.sys;3e5d9b92.sys;\??\c:\windows\System32\drivers\3e5d9b92.sys --> c:\windows\System32\drivers\3e5d9b92.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cnn.com/
Trusted Zone: barbri.com\www
FF - ProfilePath - c:\documents and settings\Fredo\Application Data\Mozilla\Firefox\Profiles\16e6bgpu.default\
FF - prefs.js: browser.startup.homepage - drudgereport.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-08-18 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 03:29

Pre-Run: 12,234,178,560 bytes free
Post-Run: 12,071,006,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

308 --- E O F --- 2009-08-12 08:03

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:30 PM

Posted 18 August 2009 - 12:52 AM

Hi fredp333,

This computer is quite a mess! :thumbup2:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    proquota
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
    Note: The log can also be found on your Desktop entitled SystemLook.txt
**************

Download FindAWF:
http://noahdfear.geekstogo.com/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 18 August 2009 - 01:31 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 18 August 2009 - 02:08 AM

Here you go, thank you.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 23:15 on 17/08/2009 by Fredo (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota"
No files found.

-=End Of File=-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users