Jump to content

janflora

Members
  • Posts

    6
  • Joined

  • Last visited

Everything posted by janflora

  1. OK hope this is right...pretty sure Sandboxie is off...thanks! janflora_rootrepeal.txt ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/02/03 00:41 Program Version: Version 1.2.3.0 Windows Version: Windows XP Media Center Edition SP3 ================================================== Drivers ------------------- Name: dump_iastor.sys Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys Address: 0xA10FA000 Size: 872448 File Visible: No Status: - Name: PCI_PNP6678 Image Path: \Driver\PCI_PNP6678 Address: 0x00000000 Size: 0 File Visible: No Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF76B2000 Size: 45056 File Visible: No Status: - Name: spei.sys Image Path: spei.sys Address: 0xF7411000 Size: 1048576 File Visible: No Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Status: - Hidden/Locked Files ------------------- Path: C:\Documents and Settings\janet\Local Settings\Temp\etilqs_5Lie2wTJvX82xWj21Yhq Status: Allocation size mismatch (API: 65536, Raw: 0) Path: C:\WINDOWS\system32\wbem\Logs\wbemcore.log Status: Size mismatch (API: 65039, Raw: 64947) Path: C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Log\log_20.trc Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Documents and Settings\ian\Local Settings\Apps\2.0\2Y5PQEEZ.0RA\1OAT52G6.V7T\manifests\WindowsApplication1.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\ian\Local Settings\Apps\2.0\2Y5PQEEZ.0RA\1OAT52G6.V7T\manifests\WindowsApplication1.exe.manifest Status: Locked to the Windows API! SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "spei.sys" at address 0xf74120e0 #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xf7d615d4 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spei.sys" at address 0xf7430ca2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spei.sys" at address 0xf7431030 #: 119 Function Name: NtOpenKey Status: Hooked by "spei.sys" at address 0xf74120c0 #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xf7d615c0 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xf7d615c5 #: 160 Function Name: NtQueryKey Status: Hooked by "spei.sys" at address 0xf7431108 #: 177 Function Name: NtQueryValueKey Status: Hooked by "spei.sys" at address 0xf7430f88 #: 247 Function Name: NtSetValueKey Status: Hooked by "spei.sys" at address 0xf743119a #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0xf7d615cf #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "<unknown>" at address 0xf7d615ca Stealth Objects ------------------- Object: Hidden Module [Name: UIX.dll] Process: Zune.exe (PID: 2296) Address: 0x01060000 Size: 1683456 Object: Hidden Module [Name: UIX.renderapi.dll] Process: Zune.exe (PID: 2296) Address: 0x00f10000 Size: 692224 Object: Hidden Module [Name: ZuneShell.dll] Process: Zune.exe (PID: 2296) Address: 0x00e10000 Size: 987136 Object: Hidden Module [Name: ZuneDBApi.dll] Process: Zune.exe (PID: 2296) Address: 0x00fc0000 Size: 647168 Object: Hidden Module [Name: UIXcontrols.dll] Process: Zune.exe (PID: 2296) Address: 0x034d0000 Size: 2699264 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_CREATE] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_CLOSE] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_POWER] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_PNP] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CREATE] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CLOSE] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_READ] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_SHUTDOWN] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CLEANUP] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_PNP] Process: System Address: 0x8602a1f8 Size: -
  2. Thanks again... here are the most recent logs...it sounds good [?] Malwarebytes' Anti-Malware 1.33 Database version: 1714 Windows 5.1.2600 Service Pack 3 2/1/2009 7:35:30 PM mbam-log-2009-02-01 (19-35-30).txt Scan type: Quick Scan Objects scanned: 60653 Time elapsed: 5 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:37:55 PM, on 2/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 4097 bytes
  3. First of all...You guys rock...i am so glad someone understands this language! And I appreciate the help...I probably could have used it many times before! I do have some ?s- My son actually put Sandbox and BitTorrent on...I do not really use them, [or understand them] but I did tell him I thought there could be problems from the sharing thing [he plays a lot of games with other players, idk...] Is this our biggest problem? How can he play w/out file-sharing? I would appreciate an expert opinion b/c he's about to get cut off the comp Anyhoo...I did follow all steps to the best of my ability but one Java file would not delete ["cannot delete jusched.exe Access denied"] and one line I could not find at the final cleanout on HJT ["C;/Windows/Sys32/vtUkighh.dll].... but the records look good now Malwarebytes' Anti-Malware 1.33 Database version: 1711 Windows 5.1.2600 Service Pack 3 1/31/2009 12:42:02 AM mbam-log-2009-01-31 (00-42-02).txt Scan type: Quick Scan Objects scanned: 63708 Time elapsed: 5 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:44:10 AM, on 1/31/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file) O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 5094 bytes One more question? How can I get Internet Explorer off? It has been messed up for a few months and I just started using Foxfire [which my son had on here already] but I cannot Add/Remove the IE program...is this advisable? I did finally get it off the default setting...sorry to be too much bother...i'm clueless Thank you again!
  4. Thank you....sorry it took me awhile to get back...we tried restarting last night [w/ old version] and added Avira too...now I did it w/ the new MWB....here are the logs...thank you! Malwarebytes' Anti-Malware 1.33 Database version: 1707 Windows 5.1.2600 Service Pack 3 1/29/2009 8:24:28 PM mbam-log-2009-01-29 (20-24-28).txt Scan type: Quick Scan Objects scanned: 60869 Time elapsed: 4 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAC9GXSR (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAD3V1C4 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAH42XD7 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAAFMLMX (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAEZOXU7 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAO5U51E (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CA270L2Z (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CA87694B (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAEBS52F (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAIV45QF (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAT46PX3 (Trojan.Vundo) -> Quarantined and deleted successfully. and HIJACK: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:27:31 PM, on 1/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {E31DDF3A-5E5D-476C-A9D5-47A1C85EDF37} - C:\WINDOWS\system32\vtUkighh.dll (file missing) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file) O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing) O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.antimalwareguard.com O15 - Trusted Zone: *.antispyexpert.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.spyguardpro.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O20 - AppInit_DLLs: jkdjhw.dll,gxgcdd.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 6439 bytes The comp is already faster! maybe its good now?...fingers crossed...
  5. somehow "I would appreciate any advice or wisdom" got half deleted... i am anxiously awaiting a response...anyone?
  6. I had some silly promo pop up which panicked me to do a virus scan. My son had put AVG Virus prog on here but apparently its disabled or missing [says no components now] So I immediately ran Malwarebytes and had 23 files infected!! I chose remove all then noticed the sys32 files which is bad right? I am anxious [scared!] about rebooting to delete some of these files...but also concerned about the Trojans of course...We just had comp serviced last week and I cannot lose any more worktime! help! here is mwb log: Malwarebytes' Anti-Malware 1.23 Database version: 985 Windows 5.1.2600 Service Pack 3 2:27:21 PM 1/28/2009 mbam-log-1-28-2009 (14-27-21).txt Scan type: Quick Scan Objects scanned: 44278 Time elapsed: 17 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 4 Registry Keys Infected: 10 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\vtUkighh.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\xhcjofni.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\jkdjhw.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\geBrppqo.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d92af15-a7c1-4cbd-9eec-bee8163a5343} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1d92af15-a7c1-4cbd-9eec-bee8163a5343} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e31ddf3a-5e5d-476c-a9d5-47a1c85edf37} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{e31ddf3a-5e5d-476c-a9d5-47a1c85edf37} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebrppqo (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28ef570b (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukighh -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukighh -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\jkdjhw.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\vtUkighh.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hhgikUtv.ini (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hhgikUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xhcjofni.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\infojchx.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\geBrppqo.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\system32\vciuswyj.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WT85QZM5\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fccbYpQH.dll (Trojan.Vundo) -> Quarantined and deleted successfully. and Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:37:07 PM, on 1/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\hh.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: {6efa1882-7936-73fb-c9b4-17ef3bb202d4} - {4d202bb3-fe71-4b9c-bf37-63972881afe6} - C:\WINDOWS\system32\gxgcdd.dll O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBrppqo.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\ejdbampp.dll O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: (no name) - {E31DDF3A-5E5D-476C-A9D5-47A1C85EDF37} - C:\WINDOWS\system32\vtUkighh.dll (file missing) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file) O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.antimalwareguard.com O15 - Trusted Zone: *.antispyexpert.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.spyguardpro.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll jkdjhw.dll gxgcdd.dll O20 - Winlogon Notify: geBrppqo - C:\WINDOWS\SYSTEM32\geBrppqo.dll O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 7464 bytes I would app
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.