Sign in to follow this  
Filecabinet013

HALP! MY COMPUTER IS INFECTED

Recommended Posts

3 days ago my computer picked up some virus and the symptoms have gone from locking up and showing me a blue screen with korean characters to infinite popups to false norton warnings. i have joined 2 other forums and nobody has offered to help. I have used the following programs and nothing has cleaned everything out.

 

adaware2007 removed 1 malware and 1 virus

Smitfraudfix did nothing

vundofix removed 14 errors

spybot removed 12 errors

 

here is my hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:31:00 AM, on 2/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\iTunes\iTunes.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.facebook.com/

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvcow.dll,startup

O4 - HKLM\..\Run: [5cca4689] rundll32.exe "C:\WINDOWS\system32\gvhajmhq.dll",b

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 9341 bytes

 

 

somebody please help and prove that this forum is better than the other places that claimed to have "reliable and timely support"

Share this post


Link to post
Share on other sites

filecabinet013

 

Sorry for the delay

 

If you have posted this log at other forums, please cancel your posts and we will help you here.

 

Please download Combofix and save to your desktop:

    Note: It is important that it is saved directly to your desktop
    Close any open browsers.
    Double click on combofix.exe and follow the prompts.
    When it's finished it will produce a log.
    Post the contents of the C:\ComboFix.txt into your next reply.
    Note: Do not mouseclick combofix's window whilst it's running.
    That may cause the program to freeze/hang.

Share this post


Link to post
Share on other sites

i did as you said...i cannot find the combofix.txt file that looks like a log....however i did find what appears to be an irrelivant file named combofix.txt...here is what was inside

 

ComboFix 08-02.05.3 - Owner 2008-02-10 17:37:29.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.172 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

Share this post


Link to post
Share on other sites

filecabinet013

 

That's of little help. It appears that the tool did not finish.

 

Reboot into Safe Mode and Rerun Combofix then post the resultsd of the C:\Combofix.txt.

 

If not luck there, then we are going to switch tools

 

Go HERE and Download System Repair Engineer by smallfrogs

Select local download1 or 2

    Save it to your Desktop
    Rt Click sreng2.zip->>Extract all->>Extract it to your desktop
    Open the sreng folder
    Double click SREngPS.exe->>Click Run
    At the main Window, in the left Pane,Select Smart Scan
    At the next window make sure all of the boxes are checked and Select Scan
    When the scan is complete Select Save reports
    Save it to your desktop and Close the tool
    Double Click SREngLog.txt copy and paste that log as a reply to this thread

Do not run any other options with this tool unless instructed to do so.

Share this post


Link to post
Share on other sites

combofix in safe mode apparently worked.

 

safemode combofix log:

ComboFix 08-02.05.3 - Owner 2008-02-11 14:03:42.3 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.369 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\WINDOWS\system32\dasmcbcl.dll

C:\WINDOWS\system32\dvrodjgg.ini

C:\WINDOWS\system32\gbuowkfy.dll

C:\WINDOWS\system32\ggjdorvd.dll

C:\WINDOWS\system32\gvhajmhq.dll

C:\WINDOWS\system32\hwksuhgr.dll

C:\WINDOWS\system32\ilglcyuv.dll

C:\WINDOWS\system32\kaxmsgdo.ini

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\mkthnbfb.dll

C:\WINDOWS\system32\noemacby.dll

C:\WINDOWS\system32\odgsmxak.dll

C:\WINDOWS\system32\orqss.ini

C:\WINDOWS\system32\orqss.ini2

C:\WINDOWS\system32\pmcthlkv.ini

C:\WINDOWS\system32\qhmjahvg.ini

C:\WINDOWS\system32\rsamjukw.dll

C:\WINDOWS\system32\ssqro.dll

C:\WINDOWS\system32\uttss.ini

C:\WINDOWS\system32\uttss.ini2

C:\WINDOWS\system32\vklhtcmp.dll

C:\WINDOWS\system32\yayxwwv.dll

C:\WINDOWS\system32\yskbffcl.dll

C:\WINDOWS\system32\zfujrosu.dll

C:\WINDOWS\system32\zfujrosu.dllbox

D:\Autorun.inf

 

.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))

.

 

2008-02-10 17:47 . 2008-02-10 18:06 60,416 --a------ C:\WINDOWS\system32\drivers\ComboFix.sys

2008-02-05 12:38 . 2008-02-05 20:33 886 --ahs---- C:\WINDOWS\system32\qyvlbguu.ini

2008-02-04 12:37 . 2008-02-05 12:37 766 --ahs---- C:\WINDOWS\system32\ynmphshb.ini

2008-02-02 12:35 . 2008-02-04 10:40 354 --ahs---- C:\WINDOWS\system32\gucifpyk.ini

2008-01-31 10:43 . 2008-01-31 11:05 <DIR> d-------- C:\VundoFix Backups

2008-01-31 10:28 . 2008-01-31 10:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-01-31 10:28 . 2008-01-31 10:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-01-31 10:28 . 2008-01-31 10:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-01-31 10:28 . 2008-01-31 10:28 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-01-30 22:51 . 2008-01-30 22:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-01-30 22:51 . 2008-01-30 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-01-30 16:00 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-01-30 16:00 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-01-30 16:00 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-01-30 16:00 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-01-30 16:00 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-01-30 16:00 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-01-30 15:53 . 2008-01-30 16:03 5,552 --a------ C:\WINDOWS\system32\tmp.reg

2008-01-30 15:24 . 2008-01-30 15:24 18,944 --a------ C:\WINDOWS\system32\drvcow.dll

2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-11 00:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-02-01 20:08 --------- d-----w C:\Program Files\Magic Workstation

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{702B1160-5AFA-419D-87BD-A49390F78238}]

C:\WINDOWS\system32\jkhfe.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2AB07FC-6151-485D-9062-58105BC938F3}]

C:\WINDOWS\system32\ssttu.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17 50736]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 09:55 68856]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04 59392]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 11:36 36975]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 16:04 135168]

"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 15:42 79448]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]

"CHotkey"="zHotkey.exe" []

"ShowWnd"="ShowWnd.exe" [2003-09-19 10:09 36864 C:\WINDOWS\ShowWnd.exe]

"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 18:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 19:23 369664]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 13:00 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 12:55 126976]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 16:20 77824 C:\WINDOWS\SOUNDMAN.EXE]

"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 19:44 2744832 C:\WINDOWS\ALCWZRD.EXE]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]

"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-12 20:28 431752]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 01:11 771704]

"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-06-30 10:49 99480]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]

"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 18:36 323216]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]

"MSDisp32"="C:\WINDOWS\system32\drvcow.dll" [2008-01-30 15:24 18944]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

R3 MAC607;MAC607 Filter;C:\WINDOWS\system32\DRIVERS\MAC607.sys [2007-02-02 21:38]

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-02-07 22:57:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-11 14:06:34

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-02-11 14:09:49

ComboFix-quarantined-files.txt 2008-02-11 20:09:46

.

2008-01-14 09:01:47 --- E O F ---

Share this post


Link to post
Share on other sites

filecabinet013

 

This needs to be performed in Normal Windows mode if possible.

 

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

 

File::

C:\WINDOWS\system32\qyvlbguu.ini

C:\WINDOWS\system32\ynmphshb.ini

C:\WINDOWS\system32\gucifpyk.ini

C:\WINDOWS\system32\drvcow.dll

C:\WINDOWS\system32\jkhfe.dll

C:\WINDOWS\system32\ssttu.dll

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{702B1160-5AFA-419D-87BD-A49390F78238}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2AB07FC-6151-485D-9062-58105BC938F3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSDisp32"=-

 

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

 

Using the Image as a reference, drag CFScript into ComboFix.exe

 

Combo-Do.gif

    You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply

2. Rerun Hijackthis and post a fresh Hiajckthis log as well

Share this post


Link to post
Share on other sites

New combofix log:

 

ComboFix 08-02.05.3 - Owner 2008-02-11 17:30:38.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.232 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\WINDOWS\system32\drvcow.dll

C:\WINDOWS\system32\gucifpyk.ini

C:\WINDOWS\system32\jkhfe.dll

C:\WINDOWS\system32\qyvlbguu.ini

C:\WINDOWS\system32\ssttu.dll

C:\WINDOWS\system32\ynmphshb.ini

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\drvcow.dll

C:\WINDOWS\system32\gucifpyk.ini

C:\WINDOWS\system32\qyvlbguu.ini

C:\WINDOWS\system32\ynmphshb.ini

 

.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))

.

 

2008-02-10 17:47 . 2008-02-10 18:06 60,416 --a------ C:\WINDOWS\system32\drivers\ComboFix.sys

2008-02-10 17:33 . 2004-08-10 13:00 388,608 --a------ C:\kmd.exe

2008-01-31 10:43 . 2008-01-31 11:05 <DIR> d-------- C:\VundoFix Backups

2008-01-31 10:28 . 2008-01-31 10:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-01-31 10:28 . 2008-01-31 10:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-01-31 10:28 . 2008-01-31 10:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-01-31 10:28 . 2008-01-31 10:28 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-01-30 22:51 . 2008-01-30 22:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-01-30 22:51 . 2008-01-30 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-01-30 16:00 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-01-30 16:00 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-01-30 16:00 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-01-30 16:00 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-01-30 16:00 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-01-30 16:00 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-01-30 15:53 . 2008-01-30 16:03 5,552 --a------ C:\WINDOWS\system32\tmp.reg

2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-11 20:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-02-01 20:08 --------- d-----w C:\Program Files\Magic Workstation

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17 50736]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 09:55 68856]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04 59392]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 11:36 36975]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 16:04 135168]

"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 15:42 79448]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]

"CHotkey"="zHotkey.exe" []

"ShowWnd"="ShowWnd.exe" [2003-09-19 10:09 36864 C:\WINDOWS\ShowWnd.exe]

"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 18:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 19:23 369664]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 13:00 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 12:55 126976]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 16:20 77824 C:\WINDOWS\SOUNDMAN.EXE]

"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 19:44 2744832 C:\WINDOWS\ALCWZRD.EXE]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]

"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-12 20:28 431752]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 01:11 771704]

"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-06-30 10:49 99480]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]

"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 18:36 323216]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]

"5cca4689"="C:\WINDOWS\system32\bhshpmny.dll" [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zfujrosu]

 

R3 MAC607;MAC607 Filter;C:\WINDOWS\system32\DRIVERS\MAC607.sys [2007-02-02 21:38]

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-02-07 22:57:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-11 17:33:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-02-11 17:37:59

ComboFix-quarantined-files.txt 2008-02-11 23:37:57

ComboFix2.txt 2008-02-11 20:09:50

.

2008-01-14 09:01:47 --- E O F ---

 

new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:40:37 PM, on 2/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.facebook.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [5cca4689] rundll32.exe "C:\WINDOWS\system32\bhshpmny.dll",b

O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvcow.dll,startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: zfujrosu - C:\WINDOWS\

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 10014 bytes

Share this post


Link to post
Share on other sites

fiecabinet013

 

We Need to temporarily disable SpyBotS&D Tea timer so it doesn't interfere with our fix

    1) Run Spybot-S&D
    2) Go to the Mode menu, and make sure "Advanced Mode" is selected
    3) On the left hand side, choose Tools -> Resident
    4) Uncheck "Resident TeaTimer" and OK any prompts
    5) Restart your computer.

1. Rerun Hijackthis (scan only) and place checks beside the following entries

    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [5cca4689] rundll32.exe "C:\WINDOWS\system32\bhshpmny.dll",b
    O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvcow.dll,startup
    O20 - Winlogon Notify: zfujrosu - C:\WINDOWS\

Close all other open windows except Hijackthis and Select "Fix checked"

 

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:37:26 AM, on 2/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

C:\Program Files\AIM6\aolsoftware.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.facebook.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 9569 bytes

Share this post


Link to post
Share on other sites

filecabinet013

 

Almost there. How's your PC running?

 

Please perform an Ewido Online Malware Scan

  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.

Share this post


Link to post
Share on other sites

computer is running alot better...all the visible problems (i.e infy popups and korean jibberish) have gone away, the computer is also running noticably faster

 

_________________________________________________

ewido anti-spyware online scanner

http://www.ewido.net

__________________________________________________

 

 

Name: TrackingCookie.2o7

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Adbrite

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Adbrite

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Yieldmanager

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Adbrite

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Specificclick

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Adbrite

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Pointroll

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Adtech

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Tacoda

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Atdmt

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Atdmt

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Bluestreak

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Serving-sys

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Serving-sys

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Casalemedia

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Com

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Doubleclick

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Ru4

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Ru4

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Hitbox

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Hitbox

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Fastclick

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: C:\Documents and Settings\Owner\Cookies\[email protected][4].txt

Risk: Medium

 

Name: TrackingCookie.Mediaplex

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Mediaplex

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Overture

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Questionmarket

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Questionmarket

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Questionmarket

Path: C:\Documents and Settings\Owner\Cookies\[email protected][4].txt

Risk: Medium

 

Name: TrackingCookie.Realmedia

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Revsci

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Revsci

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Adjuggler

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Serving-sys

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Serving-sys

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Specificclick

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Specificclick

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Specificclick

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Spylog

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Netflame

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Statcounter

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Adbrite

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Tacoda

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Tacoda

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Toplist

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Trafficmp

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Tribalfusion

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Tribalfusion

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Tribalfusion

Path: C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Risk: Medium

 

Name: TrackingCookie.Etracker

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Safer-networking

Path: C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Yadro

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Zedo

Path: C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Statcounter

Path: :mozilla.14:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: :mozilla.15:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: :mozilla.16:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: :mozilla.17:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Burstnet

Path: :mozilla.20:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Ru4

Path: :mozilla.26:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Imrworldwide

Path: :mozilla.28:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Imrworldwide

Path: :mozilla.29:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Realmedia

Path: :mozilla.42:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Trafficmp

Path: :mozilla.45:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Trafficmp

Path: :mozilla.46:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Trafic

Path: :mozilla.47:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Tribalfusion

Path: :mozilla.48:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Yieldmanager

Path: :mozilla.52:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Yieldmanager

Path: :mozilla.53:C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wx582f0k.default\cookies.txt

Risk: Medium

 

Name: Trojan.ClassLoader.g

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-3be9129a.zip/Dex.class

Risk: High

 

Name: Trojan.ClassLoader.g

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-3be9129a.zip/Dix.class

Risk: High

 

Name: Trojan.ClassLoader.g

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-3be9129a.zip/Dux.class

Risk: High

 

Name: TrackingCookie.Admarketplace

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Yieldmanager

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Specificclick

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Realcastmedia

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Paypopup

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Starware

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Yadro

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt

Risk: Medium

 

Name: Downloader.IstBar.ai

Path: C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\9OGZXD05\enter[1].htm

Risk: High

 

Name: Adware.Trymedia

Path: C:\My Backup -- 18-08-07 1158\Downloads\FishTycoonGESetup-dm[1].exe

Risk: Medium

 

Name: Adware.Trymedia

Path: C:\My Backup -- 18-08-07 1158\Downloads\RobotArena2-dm[1].exe

Risk: Medium

 

Name: Downloader.TSUpdate.j

Path: C:\My Backup -- 18-08-07 1158\Program Files\Common Files\fwfr\fwfrd\vocabulary

Risk: High

 

Name: Trojan.Delf.li

Path: C:\My Backup -- 18-08-07 1158\Program Files\Trillian\patch.exe

Risk: High

 

Name: TrackingCookie.Skype

Path: C:\My Backup -- 18-08-07 1158\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Aavalue

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Burstnet

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Com

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Ru4

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Aavalue

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Starware

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][2].txt

Risk: Medium

 

Name: TrackingCookie.Toplist

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Burstbeacon

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: TrackingCookie.Paypal

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Cookies\[email protected][1].txt

Risk: Medium

 

Name: Not-A-Virus.Exploit.HTML.MHT

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\49S9A7OD\ads[1].htm

Risk: Low

 

Name: Not-A-Virus.Exploit.HTML.Mht

Path: C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I2NVTKF3\help[1].htm

Risk: Low

Edited by filecabinet013

Share this post


Link to post
Share on other sites

filecabinet013

 

You may now remove/delete/uninstall the tools we used to clean your PC

 

Now that your log is clean

 

There are some final notes:

Disable and Enable System Restore

    Lets create a clean System Restore point
    the instructions are here

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

 

Updating Java:

    Download the latest version of
    Java Runtime Environment (JRE) 6.u4.
    Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    Click the "Download" button to the right.
    Check the box that says: "Accept License Agreement".
    The page will refresh.
    Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    Close any programs you may have running - especially your web browser.
    Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    Click the Remove or Change/Remove button.
    Repeat as many times as necessary to remove each Java versions.
    Reboot your computer once all Java components are removed.
    Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

Update your Anti Virus Software

 

Use and maintain a Firewall

 

Download and install SiteHound by Firetrust for protection against malicious websites.

 

Pick the version that matches your browser

 

Visit Microsoft's Windows Update Site Frequently for critical updates

 

Backup your Important Documents and Files on a regular basis

    To a disc or a USB key, not your Hardrive

You may want to read this article"So how did I get infected in the first place" by Tony Klein

 

surf safe

Share this post


Link to post
Share on other sites
Sign in to follow this