Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed In Removing Vstoolbar, Toolbar888, Targetsaver + More


  • Please log in to reply
2 replies to this topic

#1 ParanoidEleven

ParanoidEleven

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 October 2006 - 11:10 AM

I recently got infected with a pair of toolbars, namely VSToolbar and Toolbar888. At first I thought I could try and fix it myself by reading various forum guides and self-help pages. However, the situation rapidly got worse and is getting out of hand with every reboot. Now I noticed there's another spyware named TargetSaver in the add/remove list and just this morning I noticed that DeluxeCommunications has now gotten it's way onto my system. Since the initial attack I have been running AVG Anti-Spyware, and with every reboot the real-time protection system continuously reports new spyware trying to run on my system. What's REALLY alarming me however, is the fact that I cannot boot into safe mode anymore. When attempting to do that, Windows will load up safe mode and give me the usual choice of continuing with safe mode or using a system restore. After I click "yes" (to use safe mode) the system just hangs. There's no start menu, taskbar, or desktop icons. The only thing I can access is the task manager via CTRL+ALT+DEL. To top this all off, the system will reboot itself when I try to run a scan with Adaware. All of this has caused me incredible frustration and is making increasingly worried by the second. I would not like to have to format this computer.

There is also one caveat: I was infected by a backdoor/trojan. I removed as best as I could, but I remember reading that once you're infected you can never be sure that your system ever fully clean. The suggestion was to just reformat. I also have a secondary hard drive on my system. How much is the security of that drive compromised?


Thanks for helping me out! Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:01:37 AM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ismini.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\{B87A8927-082B-1041-1107-030401160001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Alert 4\PCAlert4.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{387A8927-082B-1041-1107-030401160001}\MyToolBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cwrr] "C:\WINDOWS\system32\?aICRO~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095375240125
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Edited by ParanoidEleven, 08 October 2006 - 11:39 AM.


BC AdBot (Login to Remove)

 


#2 ParanoidEleven

ParanoidEleven
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 09 October 2006 - 02:06 AM

Update: Somehow I was able to boot into safe mode again. I went ahead and tried doing some more cleanup and found out I had a nasty backdoor winwly32.dll. I believe it was the source of the random rebooting, as only Adaware would detect it. It reboots the system moments after detection. I removed it by stopping the scan as soon as it was found and had Adaware proceed to quarantine/delete it. I was then able to complete the full system scan as normal and remove other bits of malware. Here's the logs from the scans and the new HijackThis log:


AVG Anti-Spyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:35:54 PM 10/8/2006

+ Scan result:



C:\Program Files\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned.
C:\Program Files\DeluxeCommunications\DxcCore.dll -> Adware.DeluxeCommunications : Cleaned.
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned.
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108977.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP684\A0110064.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP684\A0110065.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108975.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108979.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108971.EXE -> Backdoor.Ifinst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108972.EXE -> Backdoor.Ifinst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108969.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108966.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108968.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108967.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108974.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108980.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeff\Cookies\jeff@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108973.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108970.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108822.exe -> Worm.VB.ao : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108861.exe -> Worm.VB.ao : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108889.exe -> Worm.VB.ao : Cleaned with backup (quarantined).


::Report end


Adaware (scan stopped early to prevent rebooting):

ArchiveData(auto-quarantine- 2006-10-08 19-51-02.bckp)
Referencefile : SE1R125 06.10.2006
======================================================

WIN32.BACKDOOR.AGENT

obj[0]=Process : C:\WINDOWS\system32\winwly32.dll


Adaware:

ArchiveData(auto-quarantine- 2006-10-08 21-03-40.bckp)
Referencefile : SE1R125 06.10.2006
======================================================

ADWARE.SAFETYBAR

obj[0]=RegValue : S-1-5-21-57989841-920026266-839522115-1003\software\microsoft\internet explorer\toolbar\Webbrowser "{052b12f7-86fa-4921-8482-26c42316b522}"

TARGETSAVER

obj[1]=File : C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP676\A0106791.exe

SPYWAREQUAKE

obj[2]=File : C:\System Volume Information\_restore{987B2E97-E178-493D-B0C8-1488B0AA799C}\RP683\A0108843.exe




HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:45 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ismini.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\{B87A8927-082B-1041-1107-030401160001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Alert 4\PCAlert4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\khffeda.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\cqdpiund.dll (file missing)
O2 - BHO: (no name) - {A0FCACDD-A199-4AF0-B67E-8B40B207A64E} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: (no name) - {CE8DC986-0335-01C0-6A9F-52807F30579D} - C:\WINDOWS\system32\mbcrx.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095375240125
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\system32\jkkjg.dll (file missing)
O20 - Winlogon Notify: khffeda - khffeda.dll (file missing)
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Spyware Killers\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe



#3 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 12 October 2006 - 06:33 PM

Do not use code to post logs

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
==================

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users