Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am A Mortgage Banker And Alot Of Info Is At Risk!


  • Please log in to reply
68 replies to this topic

#1 chugg

chugg

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 17 February 2007 - 03:03 AM

I am a mortgage banker and I have hundreds of peoples personal data including social security numbers and everything. I am extremely concerned. The problem is that I am not great with computers with anything besides business programs. I followed all of the steps to this link. I have been at it for hours making sure that I dont miss a step. I installed all the programs and ran them just like it says.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/.

I am so concerned I dont know what to do. If I dont have this fixed by Monday I am in alot of trouble. People buying homes and people I do investments for are at risk. This originally started with the spy dawn virus. I was getting a question mark that was blinking at the bottom of my screen and when i clicked it it said I had spyware and it tried to get me to buiy the program. Thank god a friend told me about this site. The blinking question mark went away and then my limewire started popping up and running no matter how many times I tried to shut it down. I didnt think it was a big deal at first and it was just annoying. Then I posted the problem on this site and one of the fine gentelman here told me how serious it was. I finally did everything I was told to do and limewire is still doing the same thing. I have a feeling someone is getting all the info off my computer and I am scared bleeplless over this. I am posting the log from hijack this below and praying that someone can help me. I will be here all day tomorrow and going out tomororw nite and will be here all day Sunday with a hangover trying to fix this if someone can help me. Please help! It would be greatly appreciated. Please keep in mind that I am not great with computers.


Logfile of HijackThis v1.99.1
Scan saved at 12:47:25 AM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Common Files\AOL\1171672046\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.1\J2GTray.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Michael Thiemann\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1171672046\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www41.wirelesssync.vzw.com/en/SyncInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel« Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:09 AM

Posted 17 February 2007 - 07:26 AM

Hi Chugg & welcome

O MY!

Where is your other thread please? I would like to see what was on this system the other person helped you with.

This isn't gonna be pretty but must be said. Read carefully please. This is serious!

Few things that must be taken into consideration in light of your current said intro.

If this machine is used to store customer data and you suspect any kind of backdoor/keylogger/rootkit activity I would be contacting my IT department to have the customer data backed up elsewhere and this machine wiped clean/installed fresh.

Is this a company machine or your own?

There could be liability issues if someone's data does get out.

You will need to change ALL your passwords to any sensitive sites you log into from an UNinfected machine.
If this is not possible then you will have to contact your IT department so they can reset your password/log-in info.

Do not use this machine to do sensitive log-ins or attackers may get new info.

I havn't got a clue what you have already cleaned up with tools/apps recommended from the link you followed.
Therefore I cannot know for sure the origional extent of the problem(s)

This leads to me not being entirely sure of the safety of your customer's sensitive data.

Did you save any scan/clean logs?
If you did---upload them here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Incluse link back to this thread so I know who's logs they are.

I also don't see an antivirus installed or a firewall. Not having antivirus or firewall puts your system & data at very high risk. And your customers!
XP does have it's own firewall but it does not have much for outgoing program control. Therefore whatever nastie wants out gets out including the data it is sending.

I do see some antispyware apps and McAfee near uininstalled.

Look....to make a long story short it would be faster/safer for you to back up your customer data then flatten/re-install from scratch.
This way you can know for sure the system is safe.
A fresh install can be done in a couple hours and you know it is safe.
Consider this especially if there is important or confidential information stored on your hard disk
Trying to fix damage can take alot longer and we still will be unsure.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

Regarding formatting, here is a guide that maybe useful:
http://spyware-free.us/tutorials/reformat/



Do you not have IT department to handle this?

Another painful but must be done thing is you are going to have to contact your customers and tell them your system has been comprimised and they need to change their passwords & put watches on their accounts.

If nothing happened to anyone's account...Great but if something did and you say nothing, then it is traced back to your infected machine--- you could be liable for their losses.

________________________

I would like to see a scanlog to see what you do have in quarentine folders.
I also want to keep this thing offline as much as possible.
The more this computer is online....the more this data is at risk

Download Dr.Webs CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Double-click the drweb-cureit.exe file and allow it to run the express scan.

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow > to the right and the scan will begin.

At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" toggle button (if available) next to the files found

Then click the green cup icon right below and select Move incurable

This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).

Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.

Post back with the DrWeb.csv report please.


If the log is large upload it here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Do include link back here so I know what the log is about.


*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Don't forget to turn em back on!

_____________

I would also like to look at bootlog to confirm wether or not rootkit driver is present:

Click start> run> type msconfig.exe and hit enter.
Open the boot.ini tab
checkmark /bootlog
Apply and close.

Reboot when told.

Upload this file:

c:\Windows\ntbtlog.txt to this link:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Incluse link back to here so I know who's log it is.

Thanks

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 17 February 2007 - 07:26 AM

Edit.
Removed by RichieUK

Edited by RichieUK, 17 February 2007 - 08:22 AM.

Posted Image
Posted Image

#4 chugg

chugg
  • Topic Starter

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 17 February 2007 - 04:26 PM

All done and so far so good. To answer your questions. I work from a home office so I do not have an IT dept. I do at my office but they only support the office. My other thread I already posted my link above. I didnt save any logs but I listed the programs I installed and ran on the other log I posted for your review. I look forward to your reply. I posted as you instructed.

Edited by chugg, 17 February 2007 - 04:30 PM.


#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:09 AM

Posted 18 February 2007 - 03:43 PM

Hi Chugg;

I'm a little confused as to what you done.

Were you able to get Ad-Aware working?

I would like to see the following logs please:

1.) New Hijackthis log

2.) Uninstall list:
Open Hijackthis
Click "open misc tools section"
Click "open uninstall manager"
Click "save list"
Save the list someplace & post the log here.

3.) Click start> run> type cmd.exe and hit enter.

Copy this line:

dir c:\*.com /s > results.txt & start results.txt

Right click in open cmd window and choose "paste"
Hit enter.

Wait till it finishes scanning and log should pop up.

Post results of log here.

4.) Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

It may take a couple posts to get all logs in.

----------------------------------

I'll post the drweb results as well here. Log is small enough to post.
User names have been edited out of log for privacy.

outlook.exe;c:\program files\outlook;Trojan.MulDrop.3290;Will be cured after reboot.;
onoes.exe;C:\;Win32.HLLW.MyBot;Deleted.;
SopAdver.exe;C:\Documents and Settings\*********\Application Data\SopCast\adv;Adware.Sopcast;Incurable.Moved.;
Process.exe;C:\Documents and Settings\**********\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\********\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
0113831171314405mcinst.exe;C:\Documents and Settings\*********\Local Settings\Temp\mcvsinst;Probably BACKDOOR.Trojan;Incurable.Moved.;
xzxzxzxzxzxz.exe;C:\Documents and Settings\*********\Shared\_;Trojan.MulDrop.3338;Deleted.;
aolsetup.exe;C:\Program Files\Common Files\AOL\1171672046\ee\services\softwareUpdate\ver2_14_2_30;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite;Probably BACKDOOR.Trojan;Incurable.Moved.;
outlook.exe;C:\Program Files\outlook;Trojan.MulDrop.3290;Deleted.;
v.tmp;C:\Program Files\outlook;Trojan.MulDrop.3290;Deleted.;
A0034634.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP557;Trojan.MulDrop.3338;Deleted.;
A0034660.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559;Win32.HLLW.MyBot;Deleted.;
A0034678.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559;Win32.HLLW.MyBot;Deleted.;
A0034722.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559;Win32.HLLW.MyBot;Deleted.;
A0034780.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP559;Win32.HLLW.MyBot;Deleted.;
A0034941.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP560;Win32.HLLW.MyBot;Deleted.;
A0034957.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP560;Win32.HLLW.MyBot;Deleted.;
A0034995.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP560;Trojan.MulDrop.3338;Deleted.;
A0034997.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP561;Trojan.MulDrop.3290;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;


I would like to have a look at some files that were quarentined by DrWeb.

Please zip up this folder:

C:\Documents and settings\your name\DoctorWeb\Quarentine
Where your name is the user name you use to log into your computer with.

Right click quarentine folder> send to...> choose "compressed (zipped) folder"

Once zipped up please upload quarentine.zip here:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Include link to this thread so I know who's files they are.

As for music download places....let's wait till you are cleaned up & set up with proper protection before we even go looking.
Proper protection is an absolute must if you intend on keeping the data on your computer safe & out of the wrong hands.

See ya shortly

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 chugg

chugg
  • Topic Starter

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 February 2007 - 04:25 PM

Ok I am not sure if you wanted me to run a new hijack log so I did anyway and here it is below.

Logfile of HijackThis v1.99.1
Scan saved at 1:52:02 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1171672046\ee\AOLSoftware.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\eFax Messenger 4.1\J2GTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Michael Thiemann\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1171672046\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www41.wirelesssync.vzw.com/en/SyncInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I do have ad aware working and it is on my computer. I have posted The un instal list here as you requested. I was not sure how to attach it so I copied and pasted it below.


A4 TECH USB PC Camera
ACT! « 2005
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Software Update
Conexant D850 56K V.9x DFVc Modem
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.1
Digital Content Portal
Digital Line Detect
EducateU
eFax Messenger 4.1
ELIcon
Google Earth
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
iPod Agent 1.1.2.0
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LiveUpdate 2.6 (Symantec Corporation)
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Internet Explorer Administration Kit 5
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Resource Kit
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (1.5.0.9)
NetWaiting
PartyPoker
Picsel File Viewer
QuickTime
RealPlayer
RegistryFix v5.5
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Search Assist
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Sonic Activation Module
SopCast 1.0.0
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
URGE
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Defender
Windows Defender Signatures
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Wireless Sync Client
Yahoo! Messenger

I copied this line (dir c:\*.com /s > results.txt & start results.txt) as you asked but when I do it and paste it does not copy the whole thing when I place it in the black box and it only copies ^u for some reason so I went with this. But it says '_' is not recognized as an internal or external command, operable program or batc file. I await your reply on this. I tried copying and pasting this several times.

Now I have another problem. I tried to install Kaspersky Online Scanner but when it goes to install the active x control a box pops up from windows saying that a program wants to install it and if I want to install it click here. I click there and click install active x control and a screen ops up saying what I pasted below.

Welcome to the Kaspersky Online Scanner! Use it to scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner BETA, please manually uninstall it using "Add/Remove Programs" before installing this version! Otherwise this version will not function correctly.

Benefits:


Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:


When using this service for the first time, you have to run with Administrator privileges in order to install the product. Also, you will need to download and install files about 400 KB in size (about 1 minute on a 57.6 kbps connection) followed by 7 MB of virus definitions.
However, if you use the Online Scanner again, you will only need to download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 5.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you are using any other browser or any Internet Explorer extensions (such as AvantBrowser). If you use a different browser, you can use the Kaspersky File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan RAM, boot sectors and MBRs, so it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against malicious code, and cannot prevent future infections. It only detects malware that has already penetrated your computer. We strongly recommend that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious programs found on your computer during the scanning process. The information will be sent to the Kaspersky Virus Lab for statistical purposes. No personal information about you or specific information about your system will be collected or transmitted to Kaspersky Lab.

I do not know what to do from here because there is no options after this. I am really trying to figure ouit whay nothing happens but I cant. I am so sorry I know this is a pain for you but I am really trying. I await you reply. Once again, I am sorry but I am really trying.

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:09 AM

Posted 18 February 2007 - 05:26 PM

Hi

Yes you posted both the Hijackthis & uninstall list correctly.

For this:

Click start> run> type cmd.exe and hit enter.

Copy this line:

dir c:\*.com /s > results.txt & start results.txt

Right click in open cmd window and choose "paste"
Hit enter.

Wait till it finishes scanning and log should pop up.

Post results of log here.

Don't use Ctrl+V for pasting.
You have to copy it and use the "paste" function on right click to get it to work.
Otherwise you get the ^v in the window.

So....

Start> run> type cmd.exe and hit enter.

Hilight the bold line above> right click it & choose "copy"
Go back to the open cmd window, right click> choose "paste"

you should see the command displayed there exactly as I have written it.

Hit enter.
Wait for scan to finish & post resulting log.

----------------

Disable your TeaTimer so it does not interfere with any of our fixes. Keep it off till I tell you. We'll need another file to reset it after so it does not put junk back we try & remove.

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Go to add/remove programs and uninstall:

RegistryFix v5.5
SopCast 1.0.0
LiveUpdate 2.6 (Symantec Corporation)

Party Poker (if you didn't install it)--I recommend uninstall since this app can drag in spyware and I wouldn't trust it on a business computer.

REboot when done

Open Hijackthis
Run system scan and check if present:

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
<-- if you uninstalled PartyPoker

Once checked; close all open windows and click "fix checked". then OK.

Exit Hijackthis

Your Java is out of date. Lots of security issues with old versions.

Please follow the steps to remove older version Java components

Download the latest Java from here:
http://java.sun.com/javase/downloads/index.jsp

If you don't need to develop java programs

You want this one:

Java Runtime Environment (JRE) 6

If you do develop programs then you will want one of the JDK downloads.

Next page that comes up you need to accept the agreement to download it.
First in list is the offline installation
This is the one to download. Save it to your desktop or your normal download folder.

1. Close any open programs you may have running, especially your web browser
2. Click Start > Control Panel
* Depending on your OS or configuration, you may have to click Start > Settings > Control Panel
3. Open Add or Remove Programs
* If you have Windows 98 or Windows 2000, open Add/Remove Programs
4. Click once on any item listing Java Runtime Environment in the name
* Not every version of Java will begin with "Java" so be sure to read each entry in the list

Yours are:

J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03

5. Click the Remove or Change/Remove button
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
7. Reboot your PC once all Java components have been removed
8. Proceed with reinstalling Java using the file you just saved.

-------------------------------

As for Kaspersky:

Hmmmm....yeah you have IE7. It can be a little funky for this.

Once the ActiveX is loaded you may need to use the "zoom" button at bottom right of your browser window (in the kaspersky popup) to increase to 125%.
Once you do this...scroll down & hit the "accept" button.

Scanner should start loading and you can carry on as I instructed above.

Post its log along with new hijackthis log.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 chugg

chugg
  • Topic Starter

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 February 2007 - 05:58 PM

Hey Im sorry maybe I said it wrong in my last posting but the problem is when you want me to go to start -run and im in the black box and I try to paste dir c:\*.com /s > results.txt & start results.txt. It does not fully paste. Its just pastes ^U. It wont paste it fully like it does here. Im sorry but thats what its doing. I will do the rest when I get this figured out because I want to follow your steps in the order that you say. I am in the worse business to get spyware or a virus as a mortgage banker. Thanks so much for all your help.

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:09 AM

Posted 18 February 2007 - 07:47 PM

Hi

Try typing it in

Just type it in exactly as I put it. Spaces and such gotta be as displayed.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 chugg

chugg
  • Topic Starter

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 February 2007 - 08:30 PM

+ok so far so good but i dont know what a tea timer is.

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:09 AM

Posted 18 February 2007 - 09:18 PM

Hi

TeaTimer is part of your Spybot Search & Destroy. It is a startup watcher and registry monitor.
If it is running/active we won't be able to fix much of anything.

How to stop it:

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Keep it off till we are done please.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 chugg

chugg
  • Topic Starter

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 February 2007 - 10:20 PM

I am in the advanced mode section and there is no tea timer box. I also do not see an allow changed box Sorry. Dont give up on me. I will follow yoru link to fix it i just saw it.

Edited by chugg, 18 February 2007 - 10:24 PM.


#13 chugg

chugg
  • Topic Starter

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 19 February 2007 - 12:00 AM

Below are the log results that you requested.
'

Volume in drive C has no label.
Volume Serial Number is 0CCF-FF4C

Directory of c:\Documents and Settings\All Users\Application Data

04/14/2006 06:55 AM <DIR> McAfee.com
02/12/2007 02:08 PM <DIR> McAfee.com Personal Firewall
0 File(s) 0 bytes

Directory of c:\Documents and Settings\guest acct\Application Data\Macromedia\Flash Player

12/17/2006 01:04 AM <DIR> macromedia.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\guest acct\Application Data\Macromedia\Flash Player\#SharedObjects\BMEDYA6S

12/17/2006 01:04 AM <DIR> video.google.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\guest acct\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

12/17/2006 01:04 AM <DIR> #video.google.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\guest acct\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4

12/17/2006 01:05 AM 1,893 getseal[1].com&size=L&use_flash=NO&use_transparent=YES&lang=en
1 File(s) 1,893 bytes

Directory of c:\Documents and Settings\LocalService\Application Data

05/03/2006 08:50 PM <DIR> McAfee.com Personal Firewall
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\.housecall6.6\Update\AU_Cache

02/12/2007 02:39 PM <DIR> housecall65.trendmicro.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Application Data

02/12/2007 02:25 PM <DIR> McAfee.com Personal Firewall
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Application Data\Macromedia\Flash Player

05/03/2006 08:54 PM <DIR> macromedia.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Application Data\Macromedia\Flash Player\#SharedObjects\Q27BGWUP

09/11/2006 07:35 PM <DIR> adknowledge.com
12/02/2006 12:33 PM <DIR> albertsons.shoplocal.com
09/23/2006 06:31 PM <DIR> allstatefundsloans.com
08/06/2006 09:45 PM <DIR> aolcdn.com
08/03/2006 07:04 PM <DIR> boston.redsox.mlb.com
08/23/2006 04:45 PM <DIR> c.s0.gc.sj.ipixmedia.com
08/11/2006 04:43 PM <DIR> denverbroncos.com
07/05/2006 08:31 PM <DIR> entimg.msn.com
05/17/2006 09:29 AM <DIR> ivillage.com
05/25/2006 12:40 AM <DIR> mlb.mlb.com
08/03/2006 07:03 PM <DIR> newyork.yankees.mlb.com
09/12/2006 08:38 PM <DIR> oddcast.com
10/05/2006 06:07 PM <DIR> pagead2.googlesyndication.com
12/07/2006 01:06 AM <DIR> pandora.com
02/12/2007 12:04 AM <DIR> pornotube.com
06/22/2006 11:37 PM <DIR> seeds.adgardener.com
09/25/2006 06:36 PM <DIR> skinvideo.com
06/07/2006 07:38 PM <DIR> static.espn.go.com
05/05/2006 03:37 PM <DIR> static.userplane.com
12/27/2006 09:11 PM <DIR> streetsofnewyork.com
10/18/2006 01:52 AM <DIR> suitesmart.com
10/03/2006 11:17 AM <DIR> superpipeline.com
06/03/2006 12:27 AM <DIR> templeofgames.com
08/05/2006 08:58 PM <DIR> video.google.com
11/14/2006 03:56 PM <DIR> www.2.livejasmin.com
08/05/2006 12:23 AM <DIR> www.2.liveprivates.com
09/23/2006 06:31 PM <DIR> www.allstatefundsloans.com
01/05/2007 10:28 PM <DIR> www.cigarsmokers.com
07/25/2006 11:44 PM <DIR> www.maximonline.com
02/05/2007 05:28 PM <DIR> www.metacafe.com
01/15/2007 10:30 PM <DIR> www.motorola.com
12/07/2006 12:57 AM <DIR> www.mtv.com
12/16/2006 09:46 PM <DIR> www.nbc.com
02/12/2007 12:05 AM <DIR> www.pornotube.com
10/03/2006 11:17 AM <DIR> www.superpipeline.com
06/02/2006 08:29 PM <DIR> www.templeofgames.com
11/27/2006 10:23 AM <DIR> www.visualtour.com
01/18/2007 08:19 PM <DIR> www.youtube.com
01/14/2007 09:23 PM <DIR> youtube.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

09/11/2006 07:35 PM <DIR> #adknowledge.com
12/02/2006 12:26 PM <DIR> #albertsons.shoplocal.com
09/23/2006 06:31 PM <DIR> #allstatefundsloans.com
08/06/2006 09:45 PM <DIR> #aolcdn.com
08/03/2006 07:04 PM <DIR> #boston.redsox.mlb.com
08/23/2006 04:44 PM <DIR> #c.s0.gc.sj.ipixmedia.com
12/11/2006 11:58 AM <DIR> #creative.myspace.com
08/11/2006 04:43 PM <DIR> #denverbroncos.com
07/05/2006 08:29 PM <DIR> #entimg.msn.com
05/17/2006 09:29 AM <DIR> #ivillage.com
07/20/2006 12:37 PM <DIR> #lads.myspace.com
05/25/2006 12:40 AM <DIR> #mlb.mlb.com
08/03/2006 07:03 PM <DIR> #newyork.yankees.mlb.com
09/12/2006 08:38 PM <DIR> #oddcast.com
10/05/2006 06:07 PM <DIR> #pagead2.googlesyndication.com
12/07/2006 01:03 AM <DIR> #pandora.com
02/12/2007 12:04 AM <DIR> #pornotube.com
06/22/2006 11:37 PM <DIR> #seeds.adgardener.com
09/25/2006 06:36 PM <DIR> #skinvideo.com
06/07/2006 07:38 PM <DIR> #static.espn.go.com
05/05/2006 03:37 PM <DIR> #static.userplane.com
12/27/2006 09:11 PM <DIR> #streetsofnewyork.com
07/21/2006 12:05 AM <DIR> #suitesmart.com
08/17/2006 04:29 PM <DIR> #superpipeline.com
06/03/2006 12:27 AM <DIR> #templeofgames.com
08/05/2006 08:58 PM <DIR> #video.google.com
11/14/2006 03:56 PM <DIR> #www.2.livejasmin.com
08/05/2006 12:23 AM <DIR> #www.2.liveprivates.com
09/23/2006 06:31 PM <DIR> #www.allstatefundsloans.com
01/05/2007 10:28 PM <DIR> #www.cigarsmokers.com
07/25/2006 11:44 PM <DIR> #www.maximonline.com
02/05/2007 05:28 PM <DIR> #www.metacafe.com
07/11/2006 03:53 PM <DIR> #www.motorola.com
12/07/2006 12:39 AM <DIR> #www.mtv.com
12/16/2006 09:46 PM <DIR> #www.nbc.com
02/12/2007 12:05 AM <DIR> #www.pornotube.com
08/17/2006 04:29 PM <DIR> #www.superpipeline.com
06/02/2006 08:29 PM <DIR> #www.templeofgames.com
11/27/2006 10:23 AM <DIR> #www.visualtour.com
05/11/2006 08:02 PM <DIR> #www.youtube.com
09/19/2006 10:04 PM <DIR> #youtube.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Application Data\Microsoft\Windows Live Call

01/14/2007 10:57 PM <DIR> xxxxxxx
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Application Data\Sun\Java\Deployment\cache\javaws\http

09/03/2006 07:40 PM <DIR> Dgames.espn.go.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Desktop\music\Comedy\David Allen Coe

05/19/2006 05:28 PM <DIR> 420station.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Desktop\music\Other\Carrie Underwood

05/19/2006 05:30 PM <DIR> aiByRequest.com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Desktop\music\Rock\U2

05/19/2006 05:27 PM <DIR> Promo from Interscope.Com
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Local Settings\Application Data\Microsoft\Messenger

12/26/2006 06:11 PM <DIR> xxxxxx
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Local Settings\Application Data\Microsoft\Messenger\mthiema@aim.com\Sharing Folders

01/19/2007 01:36 AM <DIR> xxxxxxx
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Local Settings\Application Data\Microsoft\Messenger\mthiema@aim.com\SharingMetadata

01/19/2007 01:36 AM <DIR> xxxxxx
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Local Settings\Application Data\Microsoft\Windows Live Contacts

12/26/2006 06:10 PM <DIR> xxxxxxx
0 File(s) 0 bytes

Directory of c:\Documents and Settings\Michael Thiemann\Local Settings\Temporary Internet Files\Content.IE5\RYDW97JU

02/18/2007 02:07 PM 22,739 www.kaspersky[1].com
1 File(s) 22,739 bytes

Directory of c:\i386

08/04/2004 03:00 AM 7,680 chcp.com
08/04/2004 03:00 AM 50,620 command.com
08/04/2004 03:00 AM 9,216 diskcomp.com
08/04/2004 03:00 AM 7,168 diskcopy.com
08/04/2004 03:00 AM 69,886 edit.com
08/04/2004 03:00 AM 25,600 format.com
08/04/2004 03:00 AM 26,112 graftabl.com
08/04/2004 03:00 AM 19,694 graphics.com
08/04/2004 03:00 AM 14,710 kb16.com
08/04/2004 03:00 AM 1,131 loadfix.com
08/04/2004 03:00 AM 19,456 mode.com
08/04/2004 03:00 AM 15,872 more.com
08/04/2004 03:00 AM 47,564 NTDETECT.COM
08/04/2004 03:00 AM 11,264 tree.com
08/04/2004 03:00 AM 18,432 win.com
15 File(s) 344,405 bytes

Directory of c:\Program Files

04/14/2006 06:45 AM <DIR> Learn2.com
02/12/2007 02:25 PM <DIR> mcafee.com
0 File(s) 0 bytes

Directory of c:\WINDOWS\assembly\GAC

10/06/2006 12:45 PM <DIR> Act.Shared.ComponentModel
10/06/2006 12:45 PM <DIR> Act.UI.Remoting.Common
10/06/2006 12:45 PM <DIR> policy.7.2.Act.UI.Remoting.Common
10/06/2006 12:45 PM <DIR> policy.7.1.Act.Shared.ComponentModel
10/06/2006 12:45 PM <DIR> policy.7.0.Act.UI.Remoting.Common
10/06/2006 12:45 PM <DIR> policy.7.1.Act.UI.Remoting.Common
10/06/2006 12:45 PM <DIR> policy.7.0.Act.Shared.ComponentModel
10/06/2006 12:45 PM <DIR> policy.7.2.Act.Shared.ComponentModel
0 File(s) 0 bytes

Directory of c:\WINDOWS\assembly\GAC_MSIL

10/12/2006 03:03 AM <DIR> Microsoft.VisualBasic.Compatibility
0 File(s) 0 bytes

Directory of c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG

09/23/2005 07:28 AM 42,927 machine.config.comments
09/23/2005 07:28 AM 56,960 web.config.comments
2 File(s) 99,887 bytes

Directory of c:\WINDOWS\system32

08/04/2004 03:00 AM 7,680 chcp.com
08/04/2004 03:00 AM 50,620 command.com
08/04/2004 03:00 AM 9,216 diskcomp.com
08/04/2004 03:00 AM 7,168 diskcopy.com
08/04/2004 03:00 AM 69,886 edit.com
08/04/2004 03:00 AM 25,600 format.com
08/04/2004 03:00 AM 26,112 graftabl.com
08/04/2004 03:00 AM 19,694 graphics.com
08/04/2004 03:00 AM 14,710 kb16.com
08/04/2004 03:00 AM 1,131 loadfix.com
08/04/2004 03:00 AM 19,456 mode.com
08/04/2004 03:00 AM 15,872 more.com
08/04/2004 03:00 AM 11,264 tree.com
08/04/2004 03:00 AM 18,432 win.com
14 File(s) 296,841 bytes

Directory of c:\WINDOWS\WinSxS\Policies

10/12/2006 03:01 AM <DIR> x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775
0 File(s) 0 bytes

Total Files Listed:
33 File(s) 765,765 bytes
110 Dir(s) 38,946,181,120 bytes free


FYI When I start up my computer a box always pops up with a title of windows defender and the box reads ( application failed to initialize: 0x800106ba. a problem caused window defender service to stop. to start the service, restart your computer or search help and support on how to start the service manually Also, I just went to look at my usb mass storqage device and tried to open a word document document and it would only let me do a read only. Then a button popped up that said another application or person is reading this file. That doesnt sound good. I will post the Kaspersky log when its done scanning


Ok and I am working on kaspersky now and should have it worked out soon. I think your tip helped. How the heck you know all the stuff? Your dealing with one of jerrys kids here when it comes to computers

Edited by chugg, 19 February 2007 - 03:23 PM.


#14 chugg

chugg
  • Topic Starter

  • Members
  • 627 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 19 February 2007 - 01:43 AM

Ok here is the kaspersky log. It looks scarey. I didnt see the step where you save it as a text so I just pasted the link. I hope it works. Its a huge file so probably better this way. This scares me to death that its so huge.,

http://www.kaspersky.com/virusscanner ( this is what happens when I try to paste thie log) for some reason it dont all paste. Probably cause the log is huge.

Below is the link where you can see the log.

file:///C:/Documents%20and%20Settings/Michael%20%20Thiemann/Desktop/kaskpersky%20log.html Please read the end of my previous post. I updated 2 things at the end.

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:09 AM

Posted 19 February 2007 - 03:10 AM

Hi

Just upload that log file to here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

As for your Windows Defender issue see if you can uninstall it via add/remove programs.
Once uninstalled reboot.

You can re-install it from here:

http://www.microsoft.com/downloads/details...;displaylang=en

You will have to "validate" windows to get the download.

Be sure to upddate it once installed.

Run a full system scan with it and let it quarentine what it sees.
Reboot to finish.

Let me know if the error messege goes away at boot.

While I'm looking at the kaspersky log you are going to upload for me please download and install one of these antivirus programs:

Avast:
http://www.avast.com/eng/avast_4_home.html

AVG:
http://free.grisoft.com/doc/1

AntiVir:
http://www.free-av.com/antivirus/allinonen.html

Only install one or they will conflict.

Once installed; update it and run s full scan.
Let it heal/chest/quarentine whatever it finds.
If it found stuff----reboot to finish cleanup.

Post a fresh hijackthis log when you get the antivirus stuff done & let me know how machine is running.

Thanks

ps. I can't edit posts here so you will have to.
In the log you posted there are some email addresses showing.
Should edit those out so spambots dont harvest the email addresses and send you tons of spam.
We get search bots looking for email addresses.

Look through your log. You will see them.

They are at these lines:

c:\Documents and Settings\Michael Thiemann\Local Settings\Application Data\Microsoft\Messenger
c:\Documents and Settings\Michael Thiemann\Local Settings\Application Data\Microsoft\Windows Live Contacts

Just XXX ing out the name is sufficient.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users