Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results redirected to quest booster


  • Please log in to reply
31 replies to this topic

#1 Kat91119

Kat91119

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 03 January 2010 - 11:29 AM

I downloaded a file I probably shouldn't have, and what do ya know, I've got viruses now. I thought "no big deal, I'm a pro at this now...." WRONG! Its not one I've ever dealt with before and it won't go away!

When looking stuff up in google I click on the search results and I'm redirected to one of many different search sites. One called Quest Booster, another is comparedby.us, another is searchfindsite.com

I also get random popups that IE has crashed and would I like to send the error report. I don't even use IE...

AVG reported I had a virus. I moved them to the vault. Ran Malwarebytes and it too detected a few things, they were deleted. I then ran SuperAntiSpyware and it detected 3. I'm not sure how to post a log, but if I go to the Quarantined Items this is what it says:

Trojan.Agent/Gen-Alway[IE]
C:\PROGRAM FILES\INTERNET EXPLORER\WMPSCFGS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\WMPSCFGS.EXE
C:\WINDOWS\Prefetch\WMPSCFGS.EXE-26E76528.pf

Trojan.DropperSys-Nv
c:\WINDOWS\SYSTEM32\PR11.DLL

The others were tracking cookies that were removed.

Now, I've run these three times, they keep getting removed but I'm still having the searching hijack and the virus checker still finds these trojens. They are still running in the background if I do CTL+ALT+DEL

Please help, this is so frustrating!


Edit: Links disabled, to preclude possible infection. ~tg

BC AdBot (Login to Remove)

 


#2 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 03 January 2010 - 01:07 PM

I forgot to mention that two random EXE files keep appearing and multiplying on my

desktop. They are:

alcmtr.exe
rthdcpl.exe

Doing some research on my other computer, I found that WMPNSCFG.EXE belongs to Windows Media Player Network Sharing. I hooked a Xbox360 up to our network on Christmas, which would explain that. But I disabled it via WMP the other day. So I followed some directions online on how to stop it from connecting, but its still listed as running
processes. I haven't rebooted yet as I'm running a full scan on Malwarebytes again. During the scan I'm doing now, AVG has popped up twice with the following info:

c:\documents and settings\kat\application data\desktopicon\ebayshortcuts.exe as a Adware Generic4.vbk
c:\WINDOWS\system32\wexe.exe as a Trojan horse Generic16.LIE

EDIT: Scan complete. Didn't find anything. Checked running processes, still shows a few wmpscfgs running (3 of them) and txxp.exe Going to run a few scans while I wait for someone to take a peek here

Edited by Kat91119, 03 January 2010 - 02:16 PM.


#3 Markel69

Markel69

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 03 January 2010 - 05:57 PM

I have had a similar problem since 1900 on the 1st Jan and its taken me this long to get it off my system. I stupidly attempted to download a file and things went from bad to worse. Firstly I couldn't play films through one of my media players. Then I couldn't access my Norton Anti Virus and it kept giving me the following message "The instruction at "0x67412Fc" referenced memory at "0x00000018". The memory could not be read" followed by a windaow later saying "Symantec Service Framework has encountered a problem and needs to close" attempts to debugg were useless. I had also lost my task bar.
I was unable to perform a virus scan at all and afraid to access the interent so I removed the computer from the network.
I attempted a virus scan in safe mode using Norton 360, didn't find anything. I attempted to uninstall and re-install this was useless. Yesterday I was now unable to access the internet, and in normal mode the above messages kept popping up, along with an uncommanded opening of internet explorer (iexplore.exe) when viewed through windows task manager.
Back to the drawing board. Using another computer I downloaded and installed, in safe mode, Malware Bytes Anti Malware software and run various scans. It found problemsalong with Wexe.exe, which was disabled (I had previously noticed this running and searched the internet to find it as Malware).
Thinking I was free I restarted the computer in normal mode. To my dismay, still problematic. Tried several things including SmitFraud, this made thing worse.
Using Safe Mode with Networking I connected to the remote helper of Norton, A lot of good that was. Took 30 minutes to get an operator who couldn't help before passing me to a so called Virus Expert. When I went thought the problems he also said he couldn't help and that it sounded like I had a Deep Virus and that I would need to pay for either remote removal (£69.99GBP) or removal with diagnostics, advice for future applications and PC Tune up. I wouldnt go for it straight away, they said that the computer needed work straight away, I said I would think about it agreed that for them to call me back at 1200GMT today. Guess what, it never happened.
Today I downloaded a few items which picked up alleged problems during scanning, but wanted me to purchase the full version before deleting.
I dowloaded SPYBOT and used that. It said my system was free. All this work was done with my laptop, the programs, saved as, in a seperate folder, and installed on my desktop suing a memory stick.
SPYBOT found a few problems. It found that the Windows Anti Virus Key had been set to 4 in the registry (Off) according to Spybot. This was reset to 2 as suggested by the program. A few minor errors left over from SmitFraud were cleaned but little else.
A restart in Windows and the problem was still there. Various attempts looking through the internet at the various programs running convinced me the problem was still there, although I could now run Antivirus Software in the normal running mode.
After deleting a few files through the windows History folder I eventually got Internet Access back and fun started. Eventually I downloaded Security Task Manager, where I quaranteened soem items. Things were getting better. **ADDED** I also removed an exe file called bnhbg.exe, an internet search on this didn't reveal any answers, in fact I couldn't find any. It took several attepmts to remove this file, but it didn't seem important and ran with a High risk**ADDED**
Internet was still accessing with out command though, and there were spontaneous wmpscfgs.exe items running in taskmanager
I eventuallly downloaded a trial of SuperAntiSpyware which found the very issues. I ran it removed them saying that it was Trojan.Agent/gen-alaway[IE].
Thought my problems were over. I've just rebooted and iexplore is opening again, along with files placed in the history, ads mostly. I have disconnected the internet and am just letting it run. I'm about to scan again using Super Anti Spyware, which is the only reference I have seen regarding this problem, which apparently first appeared early in December, with the Virus Definitions only updated on the 1/1/10.
This thread may help get your computer working somewhat, but this is not yet the end.
Anyone with any suggestions please help. As I type items are changin in Internet Explorer Temporary Folder
In Application History - cli.exe.c88dbd71.ini.inuse has changed
In local setting/Temp there are two Video CD Movie files Perflib_Perfdata_c08 and _e54 files created along with wmpscfgs application and a few other files

Earlier I deleted some files PR15.DLL and PR17.DLL from the History

Help Please

By the Way I am running on Windows XP SP3 I had to re-activate it earlier after Quarantining some items using Security Task Manager

Edited by Markel69, 03 January 2010 - 07:01 PM.


#4 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 03 January 2010 - 10:10 PM

So, I went into safe mode, because everytime I tried to update SpyBot or anything else on the internet I would lose internet connection. So, I updated a bunch of stuff and ran Dr. Web (in safe mode), I had read on another site that it may have helped someone with a browser hijacker.

After running for 5hrs and 45 minutes I got this log:

RegUBP2b-Kat.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
4bb348e2-4e4ebaf1\myf/y/AppletX.class;C:\Documents and Settings\Kat\Application Data\Sun\Java\Deployment\cache\6.0\34\4bb348e2-4e4ebaf1;Exploit.CVE2008.5353;;
4bb348e2-4e4ebaf1\myf/y/LoaderX.class;C:\Documents and Settings\Kat\Application Data\Sun\Java\Deployment\cache\6.0\34\4bb348e2-4e4ebaf1;Exploit.CVE2008.5353;;
4bb348e2-4e4ebaf1\myf/y/PayloadX.class;C:\Documents and Settings\Kat\Application Data\Sun\Java\Deployment\cache\6.0\34\4bb348e2-4e4ebaf1;Exploit.CVE2008.5353;;
4bb348e2-4e4ebaf1;C:\Documents and Settings\Kat\Application Data\Sun\Java\Deployment\cache\6.0\34;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Kat\My Documents\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Kat\My Documents;Archive contains infected objects;Moved.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0100462.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP520;Trojan.StartPage.1505;Deleted.;
A0112251.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP546;Trojan.StartPage.1505;Deleted.;
A0112291.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP547;Trojan.StartPage.1505;Deleted.;
A0122493.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559;Trojan.Siggen.462;Deleted.;
A0122502.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559;Trojan.StartPage.1505;Deleted.;
A0122503.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559\A0122503.exe;Tool.Prockill;;
A0122503.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559;Archive contains infected objects;Moved.;
adobemedia.exe;C:\WINDOWS\system32;Trojan.Siggen.462;Deleted.;
wexe.exe;C:\WINDOWS\system32;Trojan.Siggen.462;Deleted.;


I rebooted normally, checked running processes and I still see wmpscfgs.exe, txxp.exe, and now there is qttask .exe (yes it has that big space) a lot of these are doubled, so I don't know what that means.

I'm tearing my hair out here. Can anyone help? Please...

#5 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:02:34 PM

Posted 03 January 2010 - 10:46 PM

Markel69,
If you have a problem you would like to discuss, please start your own topic.
This will help to avoid the confusion, of trying to help two or more people, in the same thread, with different problems.
Even if your problem is similar to the original poster's problem, the solution could be totally different due to different hardware, software, system requirements, etc....
This is also known as hijacking a thread, which is not considered to be proper forum etiquette.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#6 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 04 January 2010 - 12:51 AM

Alright, I'm about to run SuperAntiSpyware for like the 10th time...but wanted to post what I've done since my last post...

All of the sudden the rthdcpl.exe and alcmtr.exe were back on my desktop! Deleted them, and cleaned recycle bin again for the 20th time.

Ran TFC
Ran Rkill
Ran quick Malwarebytes Scan

Malwarebytes' Anti-Malware 1.43
Database version: 3490
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/3/2010 10:47:39 PM
mbam-log-2010-01-03 (22-47-39).txt

Scan type: Quick Scan
Objects scanned: 123362
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Noticed I had no internet connection again.

Ran Malwarebytes Full Scan

During this scan I kept getting errors for Adobe Acrobat Reader crashing. "Adobe Reader 8.1 has encountered a problem and needs to close. We are sorry for the inconvenience." Another one stated "There is a problem with Adobe Acrobat/Reader. Please exit Adobe Acrobat/Reader and try again."

Malwarebytes' Anti-Malware 1.43
Database version: 3490
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/4/2010 12:37:49 AM
mbam-log-2010-01-04 (00-37-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 336839
Time elapsed: 1 hour(s), 43 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#7 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 04 January 2010 - 02:04 AM

Wow...no help or suggestions yet... :thumbsup:

Decided to run SDFix see if I could find anything, it found nothing. Here's the log

SDFix: Version 1.240
Run by Kat on Mon 01/04/2010 at 01:19 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :

C:\WINDOWS
:0E6FF2D725F1BCB0 72
Total size: 72 bytes.
WINDOWS: deleted 72 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-04 01:46:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1211554098\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1211554098\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\1211554098\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1211554098\\EE\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Windows Media Components\\Tools\\NsRex.exe"="C:\\Program Files\\Windows Media Components\\Tools\\NsRex.exe:*:Enabled:Windows Media Encoder"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\AOL 9.5\\waol.exe"="C:\\Program Files\\AOL 9.5\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\AIM7\\aim.exe"="C:\\Program Files\\AIM7\\aim.exe:*:Enabled:AIM"
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"="C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\AVG\\AVG9\\avgemc.exe"="C:\\Program Files\\AVG\\AVG9\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"="C:\\Program Files\\AVG\\AVG9\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG9\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\TinCam\\TinCam.exe"="C:\\Program Files\\TinCam\\TinCam.exe:*:Enabled:TinCam"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"="C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe:*:Enabled:TVersity Media Server"
"C:\\WINDOWS\\system32\\txxp.exe"="C:\\WINDOWS\\system32\\txxp.exe:*:Enabled:ENABLE"
"c:\\windows\\system32\\txxp .exe"="c:\\windows\\system32\\txxp .exe:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Sat 2 Jan 2010 60,416 ...H. --- "C:\Documents and Settings\Kat\mfdd.exe"
Thu 31 Aug 2006 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Thu 31 Aug 2006 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Wed 11 Feb 2009 46,376 A..H. --- "C:\Program Files\AOL 9.5\AOLphx.exe"
Wed 11 Feb 2009 54,568 A..H. --- "C:\Program Files\AOL 9.5\AOLphxex.exe"
Wed 11 Feb 2009 33,064 A..H. --- "C:\Program Files\AOL 9.5\rbm.exe"
Wed 4 Nov 2009 1,168,216 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\teatimer .exe"
Wed 8 Oct 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 29 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 11 Jul 2009 1,301 ...HR --- "C:\Documents and Settings\Kat\Application Data\SecuROM\UserData\securom_v7_01.bak"
Thu 24 Apr 2003 4,348 A..H. --- "C:\Documents and Settings\Kat\My Documents\My Music\License Backup\drmv1key.bak"
Sat 6 Aug 2005 20 A..H. --- "C:\Documents and Settings\Kat\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 6 Aug 2005 576 A..H. --- "C:\Documents and Settings\Kat\My Documents\My Music\License Backup\drmv2key.bak"
Wed 25 Mar 2009 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"
Mon 4 Nov 2002 25,088 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Old Camp Blood Pre Sept 2005\Novels\~WRL1007.tmp"
Mon 4 Nov 2002 28,672 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Old Camp Blood Pre Sept 2005\Novels\~WRL1665.tmp"
Mon 4 Nov 2002 24,064 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Old Camp Blood Pre Sept 2005\Novels\~WRL1883.tmp"
Mon 4 Nov 2002 25,088 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Sept 2007\Novels\~WRL1007.tmp"
Mon 4 Nov 2002 28,672 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Sept 2007\Novels\~WRL1665.tmp"
Mon 4 Nov 2002 24,064 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Sept 2007\Novels\~WRL1883.tmp"
Fri 9 Mar 2001 42,496 A..HR --- "C:\Documents and Settings\Kat\My Documents\Halloween 2007_2\Halloween3\Halloween2\~WRL0004.tmp"
Sun 11 Mar 2001 45,568 A..HR --- "C:\Documents and Settings\Kat\My Documents\Halloween 2007_2\Halloween3\Halloween2\~WRL1363.tmp"
Sun 3 Nov 2002 83,456 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Old Camp Blood Pre Sept 2005\Novels\book3\michael avallone\~WRL2459.tmp"
Sun 3 Nov 2002 83,456 A..H. --- "C:\Documents and Settings\Kat\Desktop\Camp Blood\Sept 2007\Novels\book3\michael avallone\~WRL2459.tmp"

Finished!


I'm going to attempt to run SuperAntiSpyware again, but every time I try to update it crashes. . . I'll post those results sometime tomorrow.

#8 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 04 January 2010 - 10:46 AM

Hum...I see a lot of other people with the redirect issue getting help, but notice mine isn't...should I be offended? LOL ;)

Ran SuperAntiSpyware again last night (It crashes on boot up with a box popping up, but it opens. It crashes when I try to update it as well). Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2010 at 04:18 AM

Application Version : 4.27.1002

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 01:58:38

Memory items scanned : 282
Memory threats detected : 1
Registry items scanned : 6804
Registry threats detected : 0
File items scanned : 38713
File threats detected : 10

Trojan.Agent/Gen-Alway[IE]
C:\PROGRAM FILES\INTERNET EXPLORER\WMPSCFGS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\WMPSCFGS.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Kat\Cookies\kat@rambler[1].txt
C:\Documents and Settings\Kat\Cookies\kat@serving-sys[2].txt
C:\Documents and Settings\Kat\Cookies\kat@bs.serving-sys[1].txt
C:\Documents and Settings\Kat\Cookies\kat@apmebf[1].txt
C:\Documents and Settings\Kat\Cookies\kat@zedo[2].txt
C:\Documents and Settings\Kat\Cookies\kat@statcounter[1].txt
C:\Documents and Settings\Kat\Cookies\kat@atdmt[1].txt
C:\Documents and Settings\Kat\Cookies\kat@ad.yieldmanager[1].txt
C:\Documents and Settings\Kat\Cookies\kat@revsci[1].txt


Rebooted, and I still have WMPSCFGS.EXE running in the background...

#9 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 04 January 2010 - 02:19 PM

anyway to change the title of this ....lots of people are looking at it, but nobody is helping me...and others are getting help

#10 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 04 January 2010 - 05:13 PM

I'm really hoping this can be fixed soon. I can't do anything on my PC and I have websites that I run that need updating. I can't loose that info I have on this computer.

Ran AVG in safe mode, so it ran in "command line composer" it found "c:\documents and settings\kat\application data\desktopicon\ebayshortcuts.exe" as adware generic 4.vbk

Here is the log:

AVG 9.0 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 9.0.712, engine 9.0.725
Virus Database: Version 270.14.124/2598 2010-01-03

C:\Documents and Settings\All Users\Documents\ Locked file. Not tested.
C:\Documents and Settings\Kat\Application Data\Desktopicon\eBayShortcuts.exe Adware Generic4.VBK Object was moved to Virus Vault.
C:\Documents and Settings\Kat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Kat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Kat\Local Settings\Temp\172E24.dmp Locked file. Not tested.
C:\Documents and Settings\Kat\Local Settings\Temp\18A478.dmp Locked file. Not tested.
C:\Documents and Settings\Kat\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Kat\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\DEFAULT Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SOFTWARE Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SYSTEM Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 377259
Found infections : 0
Found PUPs : 1
Healed infections : 0
Healed PUPs : 1
Warnings : 0
------------------------------------------------------------



Downloaded and ran Rootkit:
http://ad13.geekstogo.com/RootRepeal.exe

Here is that log

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/04 13:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9F2A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BB7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8C15000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kat\Local Settings\Apps\2.0\7CM93B4W.KX2\NLXG7MG0.N7A\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kat\Local Settings\Apps\2.0\7CM93B4W.KX2\NLXG7MG0.N7A\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76c387e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76c3bfe

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xaa05e0b0

==EOF==


Ran GooredFix
Here are my results:

GooredFix by jpshortstuff (02.01.10.1)
Log created at 14:26 on 04/01/2010 (Kat)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:13 03/08/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [18:45 18/10/2008]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [15:23 06/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [16:32 01/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [16:08 10/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [21:32 04/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [00:43 04/11/2009]

C:\Documents and Settings\Kat\Application Data\Mozilla\Firefox\Profiles\4070qh7x.default\extensions\
anycolor.pavlos256@gmail.com [05:43 25/10/2009]
{196252dc-bf6d-4aa2-bb39-038d9495b561} [01:20 24/12/2009]
{20a82645-c095-46ed-80e3-08825760534b} [00:46 03/09/2009]
{6614d11d-d21d-b211-ae23-815234e1ebb5} [01:56 03/01/2010]
{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [16:38 09/12/2009]
{f1ac39e3-5cd4-4b04-902f-e1add0245a11} [21:54 25/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [01:07 05/11/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:47 22/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [15:23 06/03/2009]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [02:35 04/11/2009]

-=E.O.F=-


Ran ESETonline Scan
Here are those results

C:\Documents and Settings\Kat\My Documents\Vdownloader\vdownloader_setup.exe a variant of Win32/Adware.ADON application deleted - quarantined
C:\WINDOWS\system32\PR18.DLL a variant of Win32/Agent.QOH trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\PR19.DLL a variant of Win32/Agent.QOH trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\txxp .exe a variant of Win32/Kryptik.BPZ trojan cleaned by deleting - quarantined


I'm wondering if I need to open a new topic as maybe the title is misleading. I don't know....

Anyhow, wmpscfgs.exe is still a running process...or rather processes, there are three or four listed there. txxp.exe was there, but it went away now...

Edited by Kat91119, 04 January 2010 - 05:15 PM.


#11 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 04 January 2010 - 11:23 PM

Is anyone able to help me? Is there no fix for this yet?

#12 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 05 January 2010 - 11:35 AM

I don't know why anyone isn't helping me here, I've always gotten help within 24hrs. I started this topic days ago...and nothing. Perhaps its because I've run so many scans I do not know.

So far whats seemed to help me is I installed the 30 day trial of Dr.Web anti-virus
for Windows, http://download.drweb.com/demoreq/ it found over 400 infected files! and it seems to stop unwanted processes from starting up. So far it appears as though it stops the redirects as well...but who knows since it didn't happen all the time. I need to give it another scan with everything and see if anything pops up as every scan gave me a different virus, or none at all.

I have so many files on here that it takes 3-6hrs per scan! I've been scanning non stop since I downloaded that stupid file!

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 PM

Posted 05 January 2010 - 03:31 PM

Hello, looks like the biggest problem was all thse posts to yourself/.. It looks from the outside as if you are reciving help.

Any way files likee Qtask (is Quick Time) and may be needed. RTHDCPL.EXE....
This program is required to run on startup in order to benefit from its functionality or so that the program will work..
Realtek HD Audio Sound Effect Manager. So be carefu; what you are deleting or trying to.

My guess here is you've downloaded a Torrent movie file the was loaded with baddies like most are.

There are no shortcuts in malware removal/ But so far you have done fairly well.

Do you have Safe Mode?? if so run DrWEB AGAIN after this.
..
Part 1

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

now run
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
Let me know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 05 January 2010 - 05:43 PM

You know, I realized that today..that someone thought I was already getting help. My fault.

No, it wasn't a movie file, never mess with those other then Netflix and Hulu. It was a demo program I thought was legit. Scanned before opening and everything. Opened it and AVG started yelling at me.

I ran Dr. Web Anti Virus Demo last night, and today, it seemed to remove some things, and looks like I'm left with stuff in the restore area.

Here is the log from that:

A0126301.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126302.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126303.ocx;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Adware.Gdown;;
A0126304.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126305.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126306.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126307.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126308.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126309.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126310.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126311.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126312.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126313.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126314.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126315.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126316.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126317.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126318.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126319.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126320.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126321.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126322.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126323.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126324.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126325.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126326.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126327.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126328.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126329.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126330.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126331.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126332.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126333.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126334.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126335.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126336.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126337.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126338.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126339.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126340.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126341.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;
A0126342.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP562;Trojan.Siggen.43038;;


I'll run the scans you've asked me to run and post my findings. Thank you for getting back to me to help. This has been driving me nuts.

EDIT: Yes, I do have safe mode, its how I've been doing a lot of things when it hasn't run well in normal mode.

Edited by Kat91119, 05 January 2010 - 05:45 PM.


#15 Kat91119

Kat91119
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:34 PM

Posted 05 January 2010 - 06:18 PM

SmitFraudFix v2.424

Scan done at 18:10:48.06, Tue 01/05/2010
Run from C:\Documents and Settings\Kat\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DrWeb\SpIDerAgent.exe
C:\Program Files\DrWeb\spiderml.exe
C:\PROGRA~1\DrWeb\spiderui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kat


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kat\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kat\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kat\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="ezvkac.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® 82562V-2 10/100 Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{75AC16C9-23F2-4FC4-9C18-C1C90B53171C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{75AC16C9-23F2-4FC4-9C18-C1C90B53171C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{75AC16C9-23F2-4FC4-9C18-C1C90B53171C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Ran TDSSKiller but it didn't spit out a log?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users