Jump to content

wboncyk

Members
  • Posts

    8
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I am also having the same problem, and seeing the same excessive memory use by MalwareBytes Service. I will monitor this thread to see if you determine there is a "generic" fix applicable to all users of the MalwareBytes 3 product - if not, I'll start my own thread in a day or so.
  2. Well, it looks like I'm out of the woods. Kaspersky only found the stuff in Dr. Web's quarantine folder (which I forgot about when I was deleting quarantine stuff earlier), and the latest HJT log doesn't show anything that I'd consider suspicious. The computer is performing as it did when it was new -- I forgot how fast this thing could be. No suspicious activity at all. The logs are attached. Now I just have to keep the kids from going back to the sites that caused the problems in the first place. Thanks for your help!! -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, February 13, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, February 13, 2009 04:40:38 Records in database: 1790776 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ Scan statistics: Files scanned: 50055 Threat name: 3 Infected objects: 6 Suspicious objects: 0 Duration of the scan: 01:09:07 File name / Threat name / Threats count C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\ekf35.tmp Infected: not-a-virus:AdWare.Win32.Mirar.ao 1 C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\index[2].htm Infected: Trojan-Downloader.JS.Plif.a 1 C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\index[3].htm Infected: Trojan-Downloader.JS.Plif.a 1 C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\llm37.tmp Infected: not-a-virus:AdWare.Win32.Mirar.ao 1 C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\mac33.tmp Infected: not-a-virus:AdWare.Win32.Mirar.ao 1 C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\TDSS57f9.RB0 Infected: Trojan.Win32.Patched.dw 1 The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:45:03 PM, on 2/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\Pelmiced.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199560996968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199561376885 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 6879 bytes
  3. No overt signs of infection. I think that everything is now either gone, or has been passivated. Do you think I can call this one done?
  4. OK. Done as instructed. Here are the most recent Dr. Web and HijackThis logs. Dr. Web is interesting for all the stuff it found in the quarantine directory from Trend Micro. I used the "delete files" in Trend Micro to supposedly delete all of those, per your instruction, before running Dr. Web! Clearly, Dr. Web found a few more things also lurking on drive C: as well.... ekf35.tmp/Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe\NN_Bar75_876980.dll;C:\Documents and Settings\Mark\Local Settings\Temp\ekf35.tmp/Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe;Adware.Mirarbar.40; ; Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe;C:\Documents and Settings\Mark\Local Settings\Temp;Archive contains infected objects;; ekf35.tmp;C:\Documents and Settings\Mark\Local Settings\Temp;Archive contains infected objects;Moved.; llm37.tmp/Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe\NN_Bar75_876980.dll;C:\Documents and Settings\Mark\Local Settings\Temp\llm37.tmp/Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe;Adware.Mirarbar.40; ; Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe;C:\Documents and Settings\Mark\Local Settings\Temp;Archive contains infected objects;; llm37.tmp;C:\Documents and Settings\Mark\Local Settings\Temp;Archive contains infected objects;Moved.; mac33.tmp/Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe\NN_Bar75_876980.dll;C:\Documents and Settings\Mark\Local Settings\Temp\mac33.tmp/Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe;Adware.Mirarbar.40; ; Mirar_V75_876980_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX.exe;C:\Documents and Settings\Mark\Local Settings\Temp;Archive contains infected objects;; mac33.tmp;C:\Documents and Settings\Mark\Local Settings\Temp;Archive contains infected objects;Moved.; 4503[1].pdf\data001;C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\667EZE1H\4503[1].pdf;Exploit.PDF.55;; 4503[1].pdf;C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\667EZE1H;Container contains infected objects;Moved.; index[2].htm\Script.2;C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\667EZE1H\index[2].htm;Exploit.ActiveX.9;; index[2].htm;C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\667EZE1H;Container contains infected objects;Moved.; index[3].htm\Script.2;C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\KZK11J53\index[3].htm;Exploit.ActiveX.9;; index[3].htm;C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\KZK11J53;Container contains infected objects;Moved.; TDSScfub.dll;C:\Program Files\Trend Micro\Internet Security\Quarantine;Trojan.Packed.365;Deleted.; TDSScfub_244.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;Trojan.Packed.365;Deleted.; TDSScfub_698.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;Trojan.Packed.365;Deleted.; TDSScfub_b9c.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;Trojan.Packed.365;Deleted.; TDSScfub_ea0.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;Trojan.Packed.365;Deleted.; TDSSmaxt.sys;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSmaxt_244.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSmaxt_698.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSmaxt_b9c.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSmaxt_ea0.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSnrsr.dll;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.22;Deleted.; TDSSnrsr_244.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.22;Deleted.; TDSSnrsr_698.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.22;Deleted.; TDSSnrsr_b9c.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.22;Deleted.; TDSSnrsr_ea0.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.22;Deleted.; TDSSoexh.dll;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSoexh_244.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSoexh_698.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSoexh_b9c.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSoexh_ea0.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.29;Deleted.; TDSSriqp.dll;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.21;Deleted.; TDSSriqp_244.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.21;Deleted.; TDSSriqp_698.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.21;Deleted.; TDSSriqp_b9c.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.21;Deleted.; TDSSriqp_ea0.VIR;C:\Program Files\Trend Micro\Internet Security\Quarantine;BackDoor.Tdss.21;Deleted.; TDSS57f9.RB0;C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup;Trojan.Starter.896;Incurable.Moved.; wb_setup.exe;C:\Program Files\WinAce;Trojan.Copyself.origin;Incurable.Moved.; A0000007.dll;C:\System Volume Information\_restore{4E466EEC-E4B9-4F71-B7D4-D51551CD6F9E}\RP1;Trojan.Packed.365;Deleted.; A0000008.sys;C:\System Volume Information\_restore{4E466EEC-E4B9-4F71-B7D4-D51551CD6F9E}\RP1;BackDoor.Tdss.29;Deleted.; A0000009.dll;C:\System Volume Information\_restore{4E466EEC-E4B9-4F71-B7D4-D51551CD6F9E}\RP1;BackDoor.Tdss.22;Deleted.; A0000010.dll;C:\System Volume Information\_restore{4E466EEC-E4B9-4F71-B7D4-D51551CD6F9E}\RP1;BackDoor.Tdss.29;Deleted.; A0000011.dll;C:\System Volume Information\_restore{4E466EEC-E4B9-4F71-B7D4-D51551CD6F9E}\RP1;BackDoor.Tdss.21;Deleted.; A0000012.exe;C:\System Volume Information\_restore{4E466EEC-E4B9-4F71-B7D4-D51551CD6F9E}\RP1;Trojan.Copyself.origin;Incurable.Moved.; 630ET4Wb.exe;C:\WINDOWS\system32;Trojan.Inject.5333;Deleted.; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:45:03 PM, on 2/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\Pelmiced.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199560996968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199561376885 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 6879 bytes
  5. OK, I did one other thing last night, when I re-enabled my Trend Micro Internet Security before shutting down the system for the night (Yes, the Trend Micro is able to work again, too). I set it up to do its own virus scan. The results of that scan are the first logfile that I'm posting below. Then, earlier this afternoon, I performed the procedure that you indicated. Those logs (the new MBAM and HJT) are posted immediately below the Trend Micro. So, based on this, have I cleared the problems? Thanks again for your help. Trend Micro: "Virus Scan Logs" "Feb 09, 2009" "" "Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action" "20:42" "Manual Scan" "File" "TROJ_CONHOOK.FT" "C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\KZK11J53\index[1]" "Quarantined Success" "" "21:07" "Manual Scan" "File" "Mal_Vundo11" "C:\Qoobox\Quarantine\C\WINDOWS\system32\diwajame.dll.vir" "Cleaned Fail" "Quarantined Success" "21:07" "Manual Scan" "File" "Mal_Vundo11" "C:\Qoobox\Quarantine\C\WINDOWS\system32\jifuharu.dll.vir" "Cleaned Fail" "Quarantined Success" "21:07" "Manual Scan" "File" "Mal_Vundo11" "C:\Qoobox\Quarantine\C\WINDOWS\system32\mokejudu.dll.vir" "Cleaned Fail" "Quarantined Success" "21:07" "Manual Scan" "File" "TROJ_DLOADER.ARW" "C:\Qoobox\Quarantine\C\WINDOWS\system32\mst120.dll.vir" "Quarantined Success" "" "21:07" "Manual Scan" "File" "Mal_Vundo11" "C:\Qoobox\Quarantine\C\WINDOWS\system32\nejopoyi.dll.vir" "Cleaned Fail" "Quarantined Success" "21:07" "Manual Scan" "File" "TROJ_CONHOOK.FT" "C:\Qoobox\Quarantine\C\WINDOWS\system32\ouaececb.dll.vir" "Quarantined Success" "" "21:07" "Manual Scan" "File" "Mal_Vundo11" "C:\Qoobox\Quarantine\C\WINDOWS\system32\rezalefe.dll.vir" "Cleaned Fail" "Quarantined Success" "21:07" "Manual Scan" "File" "TROJ_CONHOOK.FT" "C:\Qoobox\Quarantine\C\WINDOWS\system32\rjseay.dll.vir" "Quarantined Success" "" "21:07" "Manual Scan" "File" "Mal_Vundo11" "C:\Qoobox\Quarantine\C\WINDOWS\system32\sowesuno.dll.vir" "Cleaned Fail" "Quarantined Success" Malwarebytes' Anti-Malware 1.33 Database version: 1744 Windows 5.1.2600 Service Pack 3 2/10/2009 4:03:10 PM mbam-log-2009-02-10 (16-03-10).txt Scan type: Quick Scan Objects scanned: 71227 Time elapsed: 13 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:06:55 PM, on 2/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\Pelmiced.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199560996968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199561376885 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 6912 bytes
  6. SUCCESS! (At least in getting ComboFix, Hijack This and Malwarebytes' Anti-Malware, that is.) I had to diddle a little with the names of all three programs, and the first one that I got working was a renamed Anti-Malware. Then I was able to run ComboFix with no name changes, and not in safe mode. Finally I did a hijack this run and it ran successfully. Here are the logs. ComboFix.txt first, followed by the HijackThis log. Let me know if there's anything else I need to do. THANKS for the help thus far. These three tools used in combination are a great arsenal to bring to bear on the nasty that has infected this machine! ComboFix 09-02-08.02 - Wayne 2009-02-09 19:45:50.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.632 [GMT -7:00] Running from: c:\documents and settings\Wayne\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\bold.log c:\docume~1\Wayne\LOCALS~1\Temp\tmp1.tmp c:\docume~1\Wayne\LOCALS~1\Temp\tmp2.tmp c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\ahuhumoj.ini c:\windows\system32\azqryc.dll c:\windows\system32\binatoko.dll c:\windows\system32\bofigaro.dll c:\windows\system32\bwgokihm.ini c:\windows\system32\ckbjxt.dll c:\windows\system32\cwmghi.dll c:\windows\system32\diwajame.dll c:\windows\system32\dqaqym.dll c:\windows\system32\fybgup.dll c:\windows\system32\gohifodi.dll c:\windows\system32\husosaza.dll c:\windows\system32\huyajuni.dll c:\windows\system32\javinete.dll.tmp c:\windows\system32\jifuharu.dll c:\windows\system32\jukajeyi.dll c:\windows\system32\jzaqwg.dll c:\windows\system32\koguholu.dll c:\windows\system32\mokejudu.dll c:\windows\system32\msssc.dll c:\windows\system32\mst120.dll c:\windows\system32\muwujebu.dll c:\windows\system32\nahpgs.dll c:\windows\system32\nejopoyi.dll c:\windows\system32\nubamiko.dll c:\windows\system32\ocutdonf.ini c:\windows\system32\ojapuwuv.ini c:\windows\system32\opfinpyf.ini c:\windows\system32\ouaececb.dll c:\windows\system32\owuiae.dll c:\windows\system32\redipefe.dll c:\windows\system32\rezalefe.dll c:\windows\system32\rjseay.dll c:\windows\system32\rohitelu.dll c:\windows\system32\sowesuno.dll c:\windows\system32\sunapija.dll c:\windows\system32\TDSSosvd.dat c:\windows\system32\telelepu.dll c:\windows\system32\tizomahu.dll c:\windows\system32\utefidib.ini c:\windows\system32\utudifok.ini c:\windows\system32\vemepuya.dll c:\windows\system32\wxxFNqru.ini c:\windows\system32\wxxFNqru.ini2 c:\windows\system32\yeyanido.dll c:\windows\system32\zefinuve.dll c:\windows\system32\zumunope.dll c:\windows\Tasks\mgahqoru.job ----- BITS: Possible infected sites ----- hxxp://77.74.48.105 hxxp://childhe.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))))) . 2009-02-08 20:32 . 2009-02-08 20:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-08 17:54 . 2009-02-08 17:54 <DIR> d-------- c:\program files\CCleaner 2009-02-08 16:50 . 2009-02-08 16:50 <DIR> d-------- c:\program files\Uniblue 2009-02-08 16:50 . 2009-02-08 16:50 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Uniblue 2009-02-08 16:49 . 2009-02-08 16:50 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81} 2009-02-08 15:46 . 2009-02-08 15:46 <DIR> d-------- c:\documents and settings\Administrator 2009-02-08 15:36 . 2009-02-08 20:36 <DIR> d-------- C:\HijackThis 2009-02-07 17:54 . 2006-03-23 20:12 139,264 --a------ c:\windows\system32\igfxres.dll 2009-02-07 17:51 . 2006-03-23 20:38 61,440 --a------ c:\windows\system32\iAlmCoIn_v4543.dll 2009-02-07 17:50 . 2009-02-07 17:50 <DIR> d-------- c:\windows\VirtualEar 2009-02-07 17:50 . 2001-10-04 14:50 991,232 --a------ c:\windows\system32\virtear.dll 2009-02-07 17:50 . 2003-08-19 18:36 65,536 --a------ c:\windows\system32\Audio3d.dll 2009-02-07 17:50 . 2004-11-19 10:00 49,152 --a------ c:\windows\system32\DSndUp.exe 2009-02-07 17:50 . 2002-04-17 14:05 45,056 --a------ c:\windows\system32\CleanUp.exe 2009-02-02 16:28 . 2009-02-02 16:28 2,713 ---hs---- c:\windows\system32\domohodu.dll 2009-02-01 15:45 . 2009-02-01 15:45 <DIR> d-------- C:\swsetup 2009-01-16 13:54 . 2009-01-29 18:47 53,540 --a------ c:\windows\Sysvxd.exe 2009-01-10 20:20 . 2009-01-31 12:29 <DIR> d-------- c:\program files\VentSrv . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-08 14:38 --------- d-----w c:\program files\Trend Micro 2009-02-08 14:38 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro 2009-02-01 17:37 --------- d-----w c:\program files\World of Warcraft 2009-01-14 23:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 23:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-11 02:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-10 07:04 --------- d-----w c:\program files\Project64 1.6 2009-01-09 03:23 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-09 03:23 --------- d-----w c:\program files\Maxis 2009-01-09 03:22 --------- d-----w c:\program files\WinAce 2009-01-02 20:33 --------- d-----w c:\program files\WeGame 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "Mouse Suite 98 Daemon"="ICO.EXE" [2006-10-23 c:\windows\system32\ico.exe] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\EA GAMES\\The Battle for Middle-earth \\game.dat"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"= "c:\\WINDOWS\\system32\\ssbezier.scr"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\system32\\drivers\\svchost.exe"= R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-03-22 450400] R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2008-11-15 18944] R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2008-11-15 17920] S3 atidgllk;atidgllk;c:\dell\drivers\R105090\atidgllk.sys [2008-01-05 5120] . Contents of the 'Scheduled Tasks' folder 2009-02-09 c:\windows\Tasks\At1.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At10.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At11.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At12.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At13.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At14.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At15.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At16.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At17.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-10 c:\windows\Tasks\At18.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-10 c:\windows\Tasks\At19.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At2.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-10 c:\windows\Tasks\At20.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At21.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At22.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At23.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At24.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At25.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At26.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At27.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At28.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At29.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At3.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At30.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At31.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At32.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At33.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At34.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At35.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At36.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At37.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At38.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At39.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At4.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At40.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At41.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-10 c:\windows\Tasks\At42.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-10 c:\windows\Tasks\At43.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-10 c:\windows\Tasks\At44.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At45.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At46.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At47.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At48.job - c:\windows\system32\d4I7FN8a.exe [] 2009-02-09 c:\windows\Tasks\At5.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At6.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At7.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At8.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-09 c:\windows\Tasks\At9.job - c:\windows\system32\630ET4Wb.exe [2008-11-02 20:46] 2009-02-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20] . - - - - ORPHANS REMOVED - - - - BHO-{E28E312F-2381-4147-8463-779A3809BC99} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mark\Start Menu\Programs\IMVU\Run IMVU.lnk FF - ProfilePath - c:\documents and settings\Wayne\Application Data\Mozilla\Firefox\Profiles\d9kqm4i9.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-09 19:49:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\wscntfy.exe c:\windows\system32\PELMICED.EXE c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-02-09 19:51:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-10 02:51:20 Pre-Run: 21,585,354,752 bytes free Post-Run: 22,984,077,312 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 286 --- E O F --- 2009-01-13 20:51:49 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:14:36 PM, on 2/9/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\Pelmiced.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199560996968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199561376885 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 6911 bytes
  7. Thanks, but I forgot to mention that this one's apparently smart enough to know about ComboFix, since I can't get that executable to run properly either. So, I've seen conflicting opinions -- is it safe to rename ComboFix to try to get it to run? Sorry for the earlier omission.
  8. Hi. I have apparently picked up a new and particularly nasty variant of the Google Redirect virus. I've tried running Malware Bytes installer, but although the process shows up in my task list it doesn't do anything more than that. Same is true of the Hijack This installer. The machine is running Windows XP Pro SP 3 and I have been using Trend Micro's suite of firewall and AV tools (what the old PC Cillin has turned into), but I cannot get to the Trend Micro site to update the AV database either. This thing is apparently smart enough to know how to mask and disable all the legitimate anti-malware sites out there. What do I do now? Thanks for any help that you can provide.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.