Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Agent.bls


  • This topic is locked This topic is locked
8 replies to this topic

#1 ramla13

ramla13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 30 May 2007 - 11:34 PM

I managed to get rid of my vundo viruses which wasn't that difficult, but I still have a virus called agent.bls and I can't exactly find it. There is only one of my virus detectors that can actually find it. I deleted the file that it was detected in and yet, I still get pop-ups that don't really work anymore. And I've tried many different virus scanners. I finally decided to join and create a log file. I already did all the steps before joining. Nothing seems to be working. It said the location was HKEY_CLASSES_ROOT/wr and that was from the only scanner that could find it in my system. I just can't get rid of it because the scan is free but the product itself is not. Any ideas?

Logfile of HijackThis v1.99.1
Scan saved at 11:25:10 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Brenda\Local Settings\Temp\Temporary Directory 1 for hijackthis_199[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://62.4.84.53/trafc-2/rfe.php?cmp=avs2...1&lid=av_09
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 31 May 2007 - 08:50 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ramla13 :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

First of all i see nothing suspicious in your log at all,so we'll have to do some digging.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

***********************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

**********************

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

*********************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Restart your pc.
Post the Activescan report,and the contents of C:\ComboFix.txt into your next reply.

Posted Image
Posted Image

#3 ramla13

ramla13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 31 May 2007 - 05:14 PM

Thank you for helping me Richie. Here's my 2 logs:

"Brenda" - 2007-05-31 16:56:55 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Brenda\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fxwnlnhb.dll
C:\WINDOWS\system32\tssfntht.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\retadpu1000106.exe"
"C:\WINDOWS\system32\bszip.dll"
"C:\Temp\tn3"
"C:\WINDOWS\system32\drivers\core.sys"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))


2007-05-31 16:59 <DIR> d-------- C:\Temp\tn3
2007-05-31 15:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-31 15:57 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-05-31 01:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-31 01:52 <DIR> d-------- C:\DOCUME~1\Brenda\APPLIC~1\AdobeUM
2007-05-29 18:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-29 15:59 <DIR> d-------- C:\DOCUME~1\Brenda\APPLIC~1\Lavasoft
2007-05-29 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-29 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-28 20:01 <DIR> d-------- C:\ba857e7b2abb3377d03087
2007-05-28 19:37 <DIR> d-------- C:\KAV
2007-05-28 18:06 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-05-28 18:06 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-05-28 11:08 <DIR> d-------- C:\VundoFix Backups
2007-05-26 23:20 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-05-26 23:19 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-05-26 23:19 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-05-26 23:19 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-05-26 23:19 <DIR> d-------- C:\Program Files\Alwil Software
2007-05-26 21:20 72,192 --a------ C:\WINDOWS\system32\zlib.dll
2007-05-26 21:20 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-05-26 21:16 <DIR> d-------- C:\WINDOWS\system32\T8
2007-05-26 21:16 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-26 21:16 <DIR> d-------- C:\WINDOWS\system32\T4
2007-05-26 21:16 <DIR> d-------- C:\WINDOWS\system32\T3
2007-05-26 21:16 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-26 21:16 <DIR> d-------- C:\WINDOWS\system32\pog
2007-05-26 21:16 <DIR> d-------- C:\Temp\0b9
2007-05-26 21:16 <DIR> d-------- C:\Temp
2007-05-26 21:16 <DIR> d-------- C:\DOCUME~1\ELIZAB~1\APPLIC~1\?ystem32
2007-05-16 16:16 589,824 --a------ C:\WINDOWS\system32\DVDRProX.dll
2007-05-16 16:16 <DIR> d-------- C:\Program Files\Fujifilm e-Systems
2007-05-15 22:50 <DIR> d-------- C:\DOCUME~1\ELIZAB~1\APPLIC~1\Digital Album Organizer
2007-04-14 18:17 <DIR> d-------- C:\Program Files\DellSupport


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 21:36:37 -------- d-----w C:\Program Files\SpyNoMore
2007-05-31 21:35:36 -------- d-----w C:\Program Files\MSN Messenger
2007-05-31 21:31:50 -------- d-----w C:\Program Files\Digital Line Detect
2007-05-31 21:31:41 -------- d-----w C:\Program Files\Dell Photo Printer 720
2007-05-31 16:03:16 -------- d-----w C:\Program Files\DIGStream
2007-05-31 06:48:04 -------- d-----w C:\Program Files\Yahoo!
2007-05-31 06:48:01 -------- d-----w C:\Program Files\WordPerfect Office 12
2007-05-31 06:47:49 -------- d-----w C:\Program Files\Modem Helper
2007-05-31 06:47:42 -------- d-----w C:\Program Files\Dell
2007-05-31 06:47:36 -------- d-----w C:\Program Files\Common Files\aolshare
2007-05-31 06:47:35 -------- d-----w C:\Program Files\America Online 9.0
2007-05-28 05:33:32 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-28 05:32:21 -------- d-----w C:\Program Files\Corel
2007-05-28 05:32:21 -------- d-----w C:\Program Files\Common Files\Corel
2007-05-27 20:51:25 -------- d-----w C:\DOCUME~1\Brenda\APPLIC~1\Gtek
2007-05-27 04:39:45 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-16 21:16:46 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-31 01:56:38 16,694 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-31 01:56:25 296 --sh--r C:\WINDOWS\system32\833F1F1988.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-11 05:34:32 168 --sh--r C:\WINDOWS\system32\88191F3F83.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-11-04 19:29]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-08-17 09:40]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 02:05]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 18:42]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 17:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-12 07:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 07:34]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-04-04 02:02]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-12-13 00:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" []
"@"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-10-12 18:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 17:01:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-31 17:06:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-31 17:05

--- E O F ---






Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@fastclick[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Brenda\Cookies\brenda@tribalfusion[2].txt
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
Spyware:Cookie/Weborama Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11E3.tmp
Spyware:Cookie/SpyLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13C.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16A.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16C.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq178.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17B.tmp
Spyware:Cookie/AdDynamix Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1FB.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq221.tmp
Spyware:Cookie/AdDynamix Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23E.tmp
Spyware:Cookie/Azjmp Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq248.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq249.tmp
Spyware:Cookie/BurstBeacon Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24C.tmp
Spyware:Cookie/Clickbank Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq250.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25C.tmp
Spyware:Cookie/Hbmediapro Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25D.tmp
Spyware:Cookie/Searchportal Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq263.tmp
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26F.tmp
Spyware:Cookie/Screensavers Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27E.tmp
Spyware:Cookie/Toplist Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq285.tmp
Spyware:Cookie/Winantivirus Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq293.tmp
Spyware:Cookie/Winantivirus Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq294.tmp
Spyware:Cookie/Winantivirus Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq295.tmp
Spyware:Cookie/Xiti Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq296.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E3.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq333.tmp
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq334.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq336.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq337.tmp
Spyware:Cookie/HotLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq338.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq339.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33A.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33B.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33C.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33D.tmp
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33E.tmp
Adware:Adware/Yazzle Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34E.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3EE.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq490.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq491.tmp
Spyware:Cookie/Enhance Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq492.tmp
Spyware:Cookie/OfferOptimizer Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq494.tmp
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq495.tmp
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E4.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq623.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq624.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp
Spyware:Cookie/Dbbsrv Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67F.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6C.tmp
Spyware:Cookie/onestat.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6D.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp
Spyware:Cookie/Adviva Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E7.tmp
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E8.tmp
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq71.tmp
Spyware:Cookie/Clicktracks Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq71D.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq71E.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75F.tmp
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq760.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq776.tmp
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78C.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq79.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq894.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq97.tmp
Spyware:Cookie/onestat.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9C0.tmp
Spyware:Cookie/BurstBeacon Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB0D.tmp
Spyware:Cookie/Xiti Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB14.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB53.tmp
Spyware:Cookie/HotLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB54.tmp
Spyware:Cookie/Toplist Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCB.tmp
Spyware:Cookie/Winantivirus Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCC.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDB.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDC.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDD.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDE.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE0.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE11.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE2.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE3.tmp
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE4.tmp
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE5.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE7.tmp
Spyware:Cookie/Winantivirus Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE8.tmp
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hgghhge.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hjpoarab.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rqrspqn.dll.bad
Adware:Adware/WinAntivirus2006 Not disinfected C:\VundoFix Backups\xbpstrsv.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ykwxnbml.dll.bad
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\retadpu1000106.exe
Hacktool:Rootkit/NTRootkit.AJ Not disinfected C:\WINDOWS\system32\drivers\core.sys
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fxwnlnhb.dll
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\T1QaSQ\T1QaSQ1065.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tssfntht.dll

#4 ramla13

ramla13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 31 May 2007 - 05:14 PM

Didn't mean to post it twice...sorry about that.

Edited by ramla13, 31 May 2007 - 05:17 PM.


#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 31 May 2007 - 05:24 PM

Restart your pc,post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#6 ramla13

ramla13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 31 May 2007 - 06:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:14:06 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://62.4.84.53/trafc-2/rfe.php?cmp=avs2...1&lid=av_09
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



My PC is running much better now. No pop-ups, nothing seems to be wrong.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 31 May 2007 - 07:56 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Combofix
C:\QooBox
C:\VundoFix Backups

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#8 ramla13

ramla13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 31 May 2007 - 08:41 PM

Thank you very much for all your help! :thumbsup:

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 01 June 2007 - 03:10 AM

You're most welcome ramla13 :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users