Sign in to follow this  
Filecabinet013

HUGE Problem

Recommended Posts

ive used these forums before and they have been truely helpful. My roommates computer went down yesterday, added popups, changed his desktop to a red biohazard logo saying somthing along the lines of "your privacy is in danger". I attempted to run AdAware but i got the response of "not enough memory". The computer is running signifigantly slower and had troubles downloading and running hijack this. After about an hour it finally ran.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:52:45 AM, on 4/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Documents and Settings\All Users\Application Data\dwfqryxa\fclmrsvk.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\antiviirus.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\tmp0.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\xexifwdu.exe

C:\Program Files\tmp1.exe

C:\Program Files\tmp2.exe

C:\Program Files\tmp3.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\spyware removal kit\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.facebook.com/

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: vnbptxlf - {273127BD-6681-45C8-A0FB-205BE4AEFBF8} - C:\WINDOWS\vnbptxlf.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

O4 - HKLM\..\Run: [5cca4689] rundll32.exe "C:\WINDOWS\system32\gxujcxih.dll",b

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [oeaeyqar] C:\WINDOWS\system32\xexifwdu.exe

O4 - HKLM\..\Policies\Explorer\Run: [hFo82DNMwU] C:\Documents and Settings\All Users\Application Data\dwfqryxa\fclmrsvk.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O21 - SSODL: CheckDrv - {42918a86-bc0e-4e82-9c1a-307cfe00fcd4} - C:\WINDOWS\Resources\CheckDrv.dll

O21 - SSODL: zip - {d2d6ab80-00b0-41b2-9bfa-8bca8132d73f} - C:\WINDOWS\Installer\{d2d6ab80-00b0-41b2-9bfa-8bca8132d73f}\zip.dll

O21 - SSODL: qdnkewfa - {F20BBC30-EFB0-4D96-85C3-49EB2E89E336} - C:\WINDOWS\qdnkewfa.dll

O21 - SSODL: mgsvflkw - {04A0F780-E54B-4519-9C27-9003F06EC8DC} - C:\WINDOWS\mgsvflkw.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 10829 bytes

 

also this spyware doctor program seems to be rather annoying and useless...anyone know what that is?

 

please help as soon as you can!!!!

Share this post


Link to post
Share on other sites

Hello. ;)

 

also this spyware doctor program seems to be rather annoying and useless...anyone know what that is?

 

please help as soon as you can!!!!

Spyware Doctor is a legit anti-malware app by PC Tools... It does have a lot of false positives, though. You can uninstall it if you wish.

 

Please print these instructions out, or write them down, as you can't read them during the fix.

 

Please download SDFix and save it to your desktop.

  • Double-click on SDFix.exe to extract the files to C:\SDFix
  • DO NOT use it just yet.

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer.

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear.

4) Select the first option, to run Windows in Safe Mode.

5) Login to your usual account.

  • Once in Safe Mode, open the SDFix folder & double-click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with a fresh HijackThis log.

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."

Please go to Start Menu > Run > and copy/paste the following line:

%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg

Press Ok and then run SDFix again.

 

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:

%systemdrive%\SDFix\apps\FixPath.exe /Q

Reboot and then run SDFix again.

 

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.

%SystemRoot%\system32\cmd.exe

Share this post


Link to post
Share on other sites

on a somewhat amusing note....one of the symptoms that i hadnt noticed until this morning before i got your reply was random rap music would play.....by rap music i mean A single 30 second clip of one really bad rap song would loop very loudly...i laughed out loud really hard at that...

 

anywhose SDfix was amazing...heres the 2 logs.

 

 

SDFix: Version 1.170

Run by Owner on Sun 04/13/2008 at 10:40 PM

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Default HomePage Value

Restoring Default Desktop Components Value

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\Installer\{d2d6ab80-00b0-41b2-9bfa-8bca8132d73f}\zip.dll - Deleted

C:\WINDOWS\Resources\CheckDrv.dll - Deleted

C:\Program Files\tmp0.exe - Deleted

C:\Program Files\tmp1.exe - Deleted

C:\Program Files\tmp2.exe - Deleted

C:\Program Files\tmp3.exe - Deleted

C:\Documents and Settings\Owner\Desktop\Error Cleaner.url - Deleted

C:\Documents and Settings\Owner\Favorites\Error Cleaner.url - Deleted

C:\Documents and Settings\Owner\Desktop\Privacy Protector.url - Deleted

C:\Documents and Settings\Owner\Favorites\Privacy Protector.url - Deleted

C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url - Deleted

C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url - Deleted

C:\WINDOWS\privacy_danger\index.htm - Deleted

C:\WINDOWS\privacy_danger\images\capt.gif - Deleted

C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted

C:\WINDOWS\privacy_danger\images\down.gif - Deleted

C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted

C:\Program Files\akl\akl.dll - Deleted

C:\Program Files\akl\akl.exe - Deleted

C:\Program Files\akl\uninstall.exe - Deleted

C:\Program Files\akl\unsetup.exe - Deleted

C:\WINDOWS\temlxopqpkd.dll - Deleted

C:\Program Files\antiviirus.exe - Deleted

C:\WINDOWS\apoxqwfv.exe - Deleted

C:\WINDOWS\iTunesMusic.exe - Deleted

C:\WINDOWS\mgsvflkw.dll - Deleted

C:\WINDOWS\qdnkewfa.dll - Deleted

C:\WINDOWS\rs.txt - Deleted

C:\WINDOWS\vnbptxlf.dll - Deleted

C:\WINDOWS\Web\def.htm - Deleted

 

 

Could Not Remove C:\WINDOWS\system32smp

 

Folder C:\WINDOWS\Installer\{d2d6ab80-00b0-41b2-9bfa-8bca8132d73f} - Removed

Folder C:\Program Files\akl - Removed

Folder C:\WINDOWS\privacy_danger - Removed

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-13 23:16:40

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files :

 

C:\WINDOWS\system32smp Found

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Fri 1 Dec 2006 0 A..H. --- "C:\My Backup -- 18-08-07 1158\Downloads\pierre_canali_deck.mp4.zip"

Mon 25 Jun 2007 7,239 A..H. --- "C:\My Backup -- 18-08-07 1158\temp\t4.bak"

Mon 25 Jun 2007 7,236 A..H. --- "C:\My Backup -- 18-08-07 1158\temp\t4.bak1"

Mon 25 Jun 2007 6,657 A..H. --- "C:\My Backup -- 18-08-07 1158\temp\t4.bak2"

Mon 25 Jun 2007 7,252 A..H. --- "C:\My Backup -- 18-08-07 1158\temp\t4.bak3"

Mon 25 Jun 2007 7,250 A..H. --- "C:\My Backup -- 18-08-07 1158\temp\t4.bak4"

Tue 12 Dec 1989 820,000 ..SHR --- "C:\My Backup -- 18-08-07 1158\WINDOWS\bvpypen.exe"

Wed 30 Jun 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"

Wed 30 Jun 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"

Wed 30 Jun 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Mon 17 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Fri 7 May 2004 54,384 A..H. --- "C:\My Backup -- 18-08-07 1158\Program Files\America Online 9.0\aolphx.exe"

Fri 7 May 2004 156,784 A..H. --- "C:\My Backup -- 18-08-07 1158\Program Files\America Online 9.0\aoltray.exe"

Fri 7 May 2004 31,344 A..H. --- "C:\My Backup -- 18-08-07 1158\Program Files\America Online 9.0\RBM.exe"

Mon 3 Oct 2005 0 A.SH. --- "C:\My Backup -- 18-08-07 1158\WINDOWS\Temp\72vxr6pa.TMP"

Thu 15 Dec 2005 0 A.SH. --- "C:\My Backup -- 18-08-07 1158\WINDOWS\Temp\ol5u7723.TMP"

Mon 29 Aug 2005 4,348 A.SH. --- "C:\My Backup -- 25-09-05 2242\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 27 Sep 2005 4,348 A.SH. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 4 Oct 2005 84,300,651 A..H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\dn220.tmp"

Sat 7 Apr 2007 12 A..H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\~temp01083590330.tmp"

Sun 30 Sep 2007 4,181 A.SH. --- "C:\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\LITE-ON__DVDRW_SOHW-1633S_BGS4_300_DICV018_DRGV20100BC.TMP"

Mon 29 Aug 2005 4,348 ...H. --- "C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"

Thu 1 Sep 2005 20 A..H. --- "C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"

Mon 22 Aug 2005 400 A.SH. --- "C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Sat 10 Feb 2007 187 A..H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Free Download Manager\tic128D.tmp"

Wed 17 Jan 2007 950 A..H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Free Download Manager\tic6CB.tmp"

Wed 17 Jan 2007 477 A..H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Free Download Manager\tic6DA.tmp"

Mon 22 Jan 2007 223 A..H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Local Settings\Temp\Free Download Manager\ticA.tmp"

Tue 27 Sep 2005 4,348 ...H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"

Tue 27 Sep 2005 20 A..H. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"

Tue 27 Sep 2005 400 A.SH. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Thu 22 Sep 2005 5,225 A.SH. --- "C:\My Backup -- 25-09-05 2242\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\LITE-ON__DVDRW_SOHW-1633S_BGS4_300_DICV018_DRGV20100BC.TMP"

Tue 27 Sep 2005 1,640 A.SH. --- "C:\My Backup -- 27-09-05 1202\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\LITE-ON__DVDRW_SOHW-1633S_BGS4_300_DICV018_DRGV20100BC.TMP"

Mon 28 May 2007 2,130 A.SH. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVD-ROM_GDR8163B_0W20_310_DICV018_DRGV20100BC.TMP"

Fri 8 Jun 2007 4,109 A.SH. --- "C:\My Backup -- 18-08-07 1158\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\LITE-ON__DVDRW_SOHW-1633S_BGS4_300_DICV018_DRGV20100BC.TMP"

 

Finished!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:28:45 PM, on 4/13/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\xexifwdu.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Owner\Desktop\spyware removal kit\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.facebook.com/

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [5cca4689] rundll32.exe "C:\WINDOWS\system32\cggfvqsg.dll",b

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [oeaeyqar] C:\WINDOWS\system32\xexifwdu.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 9462 bytes

 

 

works much better so far....i bet theres sill some bugs in there..thank you

Share this post


Link to post
Share on other sites

Hello again. :)

 

on a somewhat amusing note....one of the symptoms that i hadnt noticed until this morning before i got your reply was random rap music would play.....by rap music i mean A single 30 second clip of one really bad rap song would loop very loudly...i laughed out loud really hard at that...

lmao I guess that's the way they market rap ... No other way to get people listen to it :)

 

There's still a lot of stuff to get rid of.

 

Please follow the instructions for running ComboFix here and post back with the log.

Share this post


Link to post
Share on other sites

ComboFix 08-04-13.3 - Owner 2008-04-14 14:36:05.5 - NTFSx86

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Owner\Desktopblackbird.jpg

C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe

C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe

C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe

C:\Documents and Settings\Owner\Desktopfkwp1.5.exe

C:\Documents and Settings\Owner\Desktopfkwp2.0.exe

C:\Documents and Settings\Owner\Desktopfwebd.exe

C:\Documents and Settings\Owner\DesktopFWebdEditor.exe

C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe

C:\Documents and Settings\Owner\Desktopvirii

C:\kmd.exe

C:\Program Files\Inet Delivery

C:\Program Files\Inet Delivery\inetdl.exe

C:\Program Files\Inet Delivery\intdel.exe

C:\WINDOWS\a.bat

C:\WINDOWS\base64.tmp

C:\WINDOWS\bdn.com

C:\WINDOWS\cookies.ini

C:\WINDOWS\FVProtect.exe

C:\WINDOWS\mslagent

C:\WINDOWS\mslagent\2_mslagent.dll

C:\WINDOWS\mslagent\mslagent.exe

C:\WINDOWS\mslagent\uninstall.exe

C:\WINDOWS\mssecu.exe

C:\WINDOWS\system32\cggfvqsg.dll

C:\WINDOWS\system32\gsqvfggc.ini

C:\WINDOWS\system32\jkkLBsQK.dll

C:\WINDOWS\system32\KQsBLkkj.ini

C:\WINDOWS\system32\KQsBLkkj.ini2

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\rqRIaYoN.dll

C:\WINDOWS\system32akttzn.exe

C:\WINDOWS\system32anticipator.dll

C:\WINDOWS\system32awtoolb.dll

C:\WINDOWS\system32bdn.com

C:\WINDOWS\system32bsva-egihsg52.exe

C:\WINDOWS\system32dpcproxy.exe

C:\WINDOWS\system32emesx.dll

C:\WINDOWS\[email protected]@@k.dll

C:\WINDOWS\system32hoproxy.dll

C:\WINDOWS\system32hxiwlgpm.dat

C:\WINDOWS\system32hxiwlgpm.exe

C:\WINDOWS\system32medup012.dll

C:\WINDOWS\system32medup020.dll

C:\WINDOWS\system32msgp.exe

C:\WINDOWS\system32msnbho.dll

C:\WINDOWS\system32mssecu.exe

C:\WINDOWS\system32msvchost.exe

C:\WINDOWS\system32mtr2.exe

C:\WINDOWS\system32mwin32.exe

C:\WINDOWS\system32netode.exe

C:\WINDOWS\system32newsd32.exe

C:\WINDOWS\system32ps1.exe

C:\WINDOWS\system32psof1.exe

C:\WINDOWS\system32psoft1.exe

C:\WINDOWS\system32regc64.dll

C:\WINDOWS\system32regm64.dll

C:\WINDOWS\system32Rundl1.exe

C:\WINDOWS\system32smp

C:\WINDOWS\system32smp\msrc.exe

C:\WINDOWS\system32sncntr.exe

C:\WINDOWS\system32ssurf022.dll

C:\WINDOWS\system32ssvchost.com

C:\WINDOWS\system32ssvchost.exe

C:\WINDOWS\system32sysreq.exe

C:\WINDOWS\system32taack.dat

C:\WINDOWS\system32taack.exe

C:\WINDOWS\system32temp#01.exe

C:\WINDOWS\system32thun.dll

C:\WINDOWS\system32thun32.dll

C:\WINDOWS\system32VBIEWER.OCX

C:\WINDOWS\system32vbsys2.dll

C:\WINDOWS\system32vcatchpi.dll

C:\WINDOWS\system32winlogonpc.exe

C:\WINDOWS\system32winsystem.exe

C:\WINDOWS\system32WINWGPX.EXE

C:\WINDOWS\userconfig9x.dll

C:\WINDOWS\winsystem.exe

C:\WINDOWS\zip1.tmp

C:\WINDOWS\zip2.tmp

C:\WINDOWS\zip3.tmp

C:\WINDOWS\zipped.tmp

 

.

((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))

.

 

2008-04-13 22:34 . 2008-04-13 22:34 <DIR> d-------- C:\WINDOWS\ERUNT

2008-04-13 22:29 . 2008-04-14 14:14 <DIR> d-------- C:\SDFix

2008-04-13 22:23 . 2008-04-13 22:23 3,648 --a------ C:\WINDOWS\system32\evtxvppv.dll

2008-04-11 10:43 . 2008-04-13 22:22 1,582 ---hs---- C:\WINDOWS\system32\xslacscm.ini

2008-04-11 10:40 . 2008-04-11 10:40 3,648 --a------ C:\WINDOWS\system32\ksspabma.dll

2008-04-10 11:31 . 2008-04-10 11:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons

2008-04-10 10:51 . 2008-04-11 09:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-04-10 10:51 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-10 10:51 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-10 10:51 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-10 10:51 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-10 10:50 . 2008-04-11 09:44 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-04-10 10:50 . 2008-04-10 10:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools

2008-04-10 10:38 . 2008-04-10 10:38 3,648 --a------ C:\WINDOWS\system32\cxsthcue.dll

2008-04-10 10:38 . 2008-04-11 10:38 1,402 --ahs---- C:\WINDOWS\system32\hixcjuxg.ini

2008-04-10 10:29 . 2008-04-10 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dwfqryxa

2008-04-10 10:29 . 2008-04-10 10:29 98,304 --a------ C:\WINDOWS\system32\xexifwdu.exe

2008-03-24 09:01 . 2008-03-24 09:01 <DIR> d-------- C:\Program Files\iPod

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-14 19:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-04-08 04:06 --------- d-----w C:\Program Files\Magic Workstation

2008-03-24 14:01 --------- d-----w C:\Program Files\iTunes

2008-03-24 13:59 --------- d-----w C:\Program Files\QuickTime

2008-03-07 18:00 148 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat

2008-03-07 16:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Template

2008-02-22 00:19 --------- d-----w C:\Program Files\MSECache

2008-02-21 20:24 --------- d-----w C:\Program Files\Common Files\Adobe

2008-02-21 20:22 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-16 05:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ventrilo

2008-02-16 05:40 --------- d-----w C:\Program Files\Ventrilo

2008-02-16 05:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-02-14 04:41 --------- d-----w C:\Program Files\Guild Wars

2008-02-14 03:32 --------- d-----w C:\Program Files\Java

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 10:55 68856]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

"oeaeyqar"="C:\WINDOWS\system32\xexifwdu.exe" [2008-04-10 10:29 98304]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 13:04 59392]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]

"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 16:42 79448]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]

"ShowWnd"="ShowWnd.exe" [2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 19:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 20:23 369664]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 14:00 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 13:55 126976]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 17:20 77824 C:\WINDOWS\SOUNDMAN.EXE]

"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 20:44 2744832 C:\WINDOWS\ALCWZRD.EXE]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]

"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-12 21:28 431752]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11 771704]

"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-06-30 11:49 99480]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]

"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 19:36 323216]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaYoN]

rqRIaYoN.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\iTunes\\iTunes.exe"=

 

R3 MAC607;MAC607 Filter;C:\WINDOWS\system32\DRIVERS\MAC607.sys [2007-06-25 01:35]

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-04-03 21:57:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-14 17:05:12

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\ehome\ehRecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-04-14 17:11:36 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-14 22:11:31

ComboFix2.txt 2008-02-11 23:38:00

ComboFix3.txt 2008-02-11 20:09:50

 

Pre-Run: 155,156,979,712 bytes free

Post-Run: 155,760,906,240 bytes free

.

2008-04-14 08:08:32 --- E O F ---

 

so...whatcha got for me man?

Share this post


Link to post
Share on other sites

Please open notepad and copy/paste the text in the quotebox into it

 

File::

C:\WINDOWS\system32\evtxvppv.dll

C:\WINDOWS\system32\xslacscm.ini

C:\WINDOWS\system32\ksspabma.dll

C:\WINDOWS\system32\cxsthcue.dll

C:\WINDOWS\system32\hixcjuxg.ini

C:\WINDOWS\system32\xexifwdu.exe

 

Folder::

C:\Documents and Settings\All Users\Application Data\dwfqryxa

 

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"oeaeyqar"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaYoN]

 

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. :)

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites

ComboFix 08-04-13.3 - Owner 2008-04-15 10:22:30.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.178 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

C:\WINDOWS\system32\cxsthcue.dll

C:\WINDOWS\system32\evtxvppv.dll

C:\WINDOWS\system32\hixcjuxg.ini

C:\WINDOWS\system32\ksspabma.dll

C:\WINDOWS\system32\xexifwdu.exe

C:\WINDOWS\system32\xslacscm.ini

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Application Data\dwfqryxa

C:\Documents and Settings\All Users\Application Data\dwfqryxa\fclmrsvk.exe

C:\WINDOWS\system32\cxsthcue.dll

C:\WINDOWS\system32\evtxvppv.dll

C:\WINDOWS\system32\hixcjuxg.ini

C:\WINDOWS\system32\ksspabma.dll

C:\WINDOWS\system32\xexifwdu.exe

C:\WINDOWS\system32\xslacscm.ini

 

.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))

.

 

2008-04-13 22:34 . 2008-04-13 22:34 <DIR> d-------- C:\WINDOWS\ERUNT

2008-04-13 22:29 . 2008-04-14 14:14 <DIR> d-------- C:\SDFix

2008-04-10 11:31 . 2008-04-10 11:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons

2008-04-10 10:51 . 2008-04-11 09:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-04-10 10:51 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-10 10:51 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-10 10:51 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-10 10:51 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-10 10:50 . 2008-04-11 09:44 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-04-10 10:50 . 2008-04-10 10:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools

2008-03-24 09:01 . 2008-03-24 09:01 <DIR> d-------- C:\Program Files\iPod

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-14 19:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-04-11 01:31 4,776 ----a-w C:\WINDOWS\system32\tmp.reg

2008-04-08 04:06 --------- d-----w C:\Program Files\Magic Workstation

2008-03-24 14:01 --------- d-----w C:\Program Files\iTunes

2008-03-24 13:59 --------- d-----w C:\Program Files\QuickTime

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-07 18:00 148 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat

2008-03-07 16:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Template

2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-22 00:19 --------- d-----w C:\Program Files\MSECache

2008-02-21 20:24 --------- d-----w C:\Program Files\Common Files\Adobe

2008-02-21 20:22 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-16 05:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ventrilo

2008-02-16 05:40 --------- d-----w C:\Program Files\Ventrilo

2008-02-16 05:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 10:55 68856]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 13:04 59392]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]

"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 16:42 79448]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]

"ShowWnd"="ShowWnd.exe" [2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 19:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 20:23 369664]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 14:00 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 13:55 126976]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 17:20 77824 C:\WINDOWS\SOUNDMAN.EXE]

"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 20:44 2744832 C:\WINDOWS\ALCWZRD.EXE]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]

"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-12 21:28 431752]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11 771704]

"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-06-30 11:49 99480]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]

"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 19:36 323216]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\iTunes\\iTunes.exe"=

 

R3 MAC607;MAC607 Filter;C:\WINDOWS\system32\DRIVERS\MAC607.sys [2007-06-25 01:35]

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-04-03 21:57:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 10:25:30

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-04-15 10:29:58

ComboFix-quarantined-files.txt 2008-04-15 15:29:54

ComboFix2.txt 2008-04-14 22:11:37

ComboFix3.txt 2008-02-11 23:38:00

ComboFix4.txt 2008-02-11 20:09:50

 

Pre-Run: 155,759,976,448 bytes free

Post-Run: 155,742,248,960 bytes free

.

2008-04-14 08:08:32 --- E O F ---

Share this post


Link to post
Share on other sites

How is the system running at this point? :D

 

Let's run a scanner just incase.. (We'll clean up all of the apps used thus far from the system when finished)

 

Please download Malwarebytes' Anti-Malware and save it to your desktop.

alternate download link 1

alternate download link 2

  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply along with a fresh HijackThis log.

Extra note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Share this post


Link to post
Share on other sites

alwarebytes' Anti-Malware 1.11

Database version: 633

 

Scan type: Quick Scan

Objects scanned: 32729

Time elapsed: 5 minute(s), 30 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 9

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

You forgot to post a fresh HijackThis log and you also forgot to let me know how's the system running at this point.. Having any troubles? :D

Share this post


Link to post
Share on other sites

Sorry about that....skimmed through the directions a bit too fast....No problems anymore to my knowledge. It seems to be running great

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:15:42 PM, on 4/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Owner\Desktop\spyware removal kit\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.facebook.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 10374 bytes

Share this post


Link to post
Share on other sites

Looks fine to me. :unsure:

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: javaicon.jpg
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.

Now to clean out the Java cache:

 

Go into the Control Panel and double-click the Java Icon.

  • Under Temporary Internet Files, click the Settings button.
  • Then click Delete Files...
  • There are two options in the window to clear the cache - Leave BOTH checked

    Applications and Applets
    Trace and Log Files

  • Click OK on Delete Temporary Files window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

--------

 

Click Start -> Run and type in:

 

ComboFix /u

 

Click on OK. When shown the disclaimer, select 2.

 

Please download OTCleanIt and save it to desktop.

  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

 

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

 

Here's some tips for future to prevent spyware:

 

Prevention Programs:

  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

Other necessary Programs:

  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.

And also see TonyKlein's good advice:

So how did I get infected in the first place?

 

Setup guide for Comodo Firewall

Setup guide for Avast! 4 Free

Setup guide for AVG Free Antivirus

Share this post


Link to post
Share on other sites
Sign in to follow this