bruiser9999 Posted March 2, 2009 ID:60934 Share Posted March 2, 2009 I was able run the mbam!! Then i ran hijackthis. Here is the log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:28:00 AM, on 3/2/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Updates from HP\9972322\Program\Updates from HP.exeC:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\izkn0ou61v4c.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\McAfee\VirusScan\McShield.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\svchost.exec:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exec:\PROGRA~1\mcafee\msc\mcuimgr.exeC:\Program Files\iTunes\iTunes.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\HPZipm12.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllR3 - URLSearchHook: Yahoo! Link to post Share on other sites More sharing options...
bruiser9999 Posted March 2, 2009 Author ID:60950 Share Posted March 2, 2009 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:28:00 AM, on 3/2/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Updates from HP\9972322\Program\Updates from HP.exeC:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\izkn0ou61v4c.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\McAfee\VirusScan\McShield.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\svchost.exec:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exec:\PROGRA~1\mcafee\msc\mcuimgr.exeC:\Program Files\iTunes\iTunes.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\HPZipm12.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllR3 - URLSearchHook: Yahoo! Link to post Share on other sites More sharing options...
bruiser9999 Posted March 3, 2009 Author ID:61069 Share Posted March 3, 2009 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:06:20 PM, on 3/2/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:WINDOWSSystem32smss.exeC:WINDOWSsystem32winlogon.exeC:WINDOWSsystem32services.exeC:WINDOWSsystem32lsass.exeC:WINDOWSsystem32svchost.exeC:WINDOWSSystem32svchost.exeC:Program FilesLavasoftAd-Awareaawservice.exeC:WINDOWSExplorer.EXEC:WINDOWSehomeehtray.exeC:WINDOWSRTHDCPL.EXEC:Program FilesiTunesiTunesHelper.exeC:Program FilesHPHP Software UpdateHPWuSchd2.exeC:Program FilesMessengermsmsgs.exeC:WINDOWSsystem32ctfmon.exeC:Program FilesYahoo!MessengerYahooMessenger.exeC:Program FilesAdobeAcrobat 7.0Readerreader_sl.exeC:Program FilesHPDigital Imagingbinhpqtra08.exeC:Program FilesUpdates from HP9972322ProgramUpdates from HP.exeC:WINDOWSsystem32spoolsv.exeC:DOCUME~1HP_ADM~1LOCALS~1Tempuq0oaud0.exeC:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exeC:WINDOWSarservice.exeC:WINDOWSeHomeehRecvr.exeC:WINDOWSeHomeehSched.exeC:Program FilesCommon FilesLightScribeLSSrvc.exeC:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXEC:Program FilesHPDigital ImagingbinhpqSTE08.exeC:WINDOWSsystem32svchost.exec:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exeC:WINDOWSeHomeehmsas.exeC:Program FilesiPodbiniPodService.exeC:WINDOWSsystem32dllhost.exec:Program FilesCommon FilesSymantec SharedSecurity CenterSymSCUI.exeC:WINDOWSSystem32svchost.exeC:Program FilesInternet ExplorerIEXPLORE.EXEC:Program FilesTrend MicroHijackThisHijackThis.exeR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.yahoo.comR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.comR0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Windows Internet Explorer provided by Yahoo!R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = :0R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:Program FilesAOLAOL Toolbar 2.0aoltb.dllR3 - URLSearchHook: Yahoo! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 3, 2009 Root Admin ID:61105 Share Posted March 3, 2009 Please don't keep posting the HJT log all over the place. Please book mark your post and stay with the post, don't create new ones.Okay, so - aside from posting a HJT log, what seems to be the problem you're having so that I can try to help you. Link to post Share on other sites More sharing options...
bruiser9999 Posted March 3, 2009 Author ID:61147 Share Posted March 3, 2009 Sorry about that. new to this site not sure the rule. as for my problems. i was able to run MBAM and found 132 infected file i removed everyone and it prompted me to have to restart he computer to rid som of them. when scanned again it found two more. removed them restarted and they are still pop up. they are hijackregedit and something elest that has to do with the registry?? Thanks. And sorry again for multiple posts. Link to post Share on other sites More sharing options...
bruiser9999 Posted March 3, 2009 Author ID:61162 Share Posted March 3, 2009 It will also not load yahoo.com but load all other sites just fine. Another funny thing is that the images never show up when going online. I always have to go into tools and check the show images box to display the images??? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 3, 2009 Root Admin ID:61250 Share Posted March 3, 2009 Okay please post the MBAM and HJT logs so that I can see what's being reported.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log. Link to post Share on other sites More sharing options...
bruiser9999 Posted March 4, 2009 Author ID:61406 Share Posted March 4, 2009 Thank you very much. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:52:35 AM, on 3/4/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Updates from HP\9972322\Program\Updates from HP.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\svchost.exec:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/mailR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduserR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllR3 - URLSearchHook: Yahoo! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 5, 2009 Root Admin ID:61536 Share Posted March 5, 2009 STEP 01From within IE go to Tools/Internet Options/Advanced and click on the RESET button and quit IE.STEP 02Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup216.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsSTEP 03You have way too many TOOL BARS and I would recommend you remove them and only keep those that you really want or need.STEP 04With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlognn.exeO4 - HKCU\..\Run: [h4yumk6hdnqmcc4j0t9waoatjeq0uuax6bprdsei33alzl] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etbgknv4w.exeO4 - HKCU\..\Run: [uxl9c2gjo9jc76pbjri] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\iex5wf.exeO4 - HKCU\..\Run: [gf8l5gpvxcifepoa] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\vyw526sr0x.exeO4 - HKCU\..\Run: [dmk70z2pdywx] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w8qkk4eiw.exeO4 - HKCU\..\Run: [g15k8q7igejdh5gnwvp30374nepsus98895xy6phmjfy] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\y9if50h1rn.exeO4 - HKCU\..\Run: [nxibdprqfukv] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\nl5t09ta.exeO4 - HKCU\..\Run: [klft6gfqwxjwozqfv6wwqtw4c] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\izkn0ou61v4c.exeO4 - HKCU\..\Run: [rehzuaio7ve] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\qdt5uybk1qe.exeO4 - HKCU\..\Run: [v74s9guo5xag0mtqgiapgd7ys5ow1nxhk7af0u9jbhvj7v] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\c6z41ll.exeO4 - HKCU\..\Run: [wgj4d7l3n33lgui] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\z1p3pl0843vdi.exeO4 - HKCU\..\Run: [gi37wauvghcvsaajskfxg8mkofr7vn92h] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\xksf45.exeO4 - HKCU\..\Run: [ujzhk7dvkn2kozrfpo1d1yd1pbbxrcds3z6ijlc6w9wyzkj8s] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mdftzezia76r.exeO4 - HKCU\..\Run: [matbebicf1wpkggf35o6lgeav7580v] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\h14pir6kg.exeO4 - HKCU\..\Run: [qldsv37ow7cdqzm45kf6ibapkxpfem9s70pyx4tvh1bhtd2h] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\dhtu70ovfq9.exeO4 - HKCU\..\Run: [qfbbod60tvsemmetqd37cxyy] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uq0oaud0.exeO4 - HKCU\..\Run: [iuxxhk7h4ypxevwb8gkt4wn8n71l8lyu5ntyj] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\u4nlbua.exeO4 - HKCU\..\Run: [q92u63yxd] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\rloouc1xklc.exeO4 - HKCU\..\Run: [fmryv7as70237539nq9lfq3oxl6s2euq3560yo2tkmj44a5] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ytz3oqnxv.exeO4 - HKCU\..\Run: [vjfqkx7zcurn8pupj97grh] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\bz9dsl04c3oe.exeO4 - HKCU\..\Run: [s76wlyephqy24868s8aj7] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\rif0chqy2kmz0.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dllO20 - AppInit_DLLs: hizusy.dll vzdbyl.dll nkhpeq.dll pjyiqf.dll vwmhqo.dll ygdcam.dll ftcqme.dll fkwiml.dll mzdbfr.dll vfcdrf.dll kztwey.dll rfdanw.dll hfngqs.dll hziydd.dllThen Quit All Browsers including the one you're reading this in now.Then click on Fix checked and then quit HJTSTEP 05Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
bruiser9999 Posted March 5, 2009 Author ID:61693 Share Posted March 5, 2009 ComboFix 09-03-04.01 - HP_Administrator 2009-03-05 8:37:43.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.577 [GMT -6:00]Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exeAV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\IE4 Error Log.txtc:\windows\wiaserviv.logD:\Autorun.inf.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_TDSSSERV.SYS-------\Service_TDSSserv.sys((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 ))))))))))))))))))))))))))))))).2009-03-05 08:12 . 2009-03-05 08:12 <DIR> d-------- c:\program files\CCleaner2009-03-04 13:06 . 2009-03-04 13:06 552 --a------ c:\windows\system32\d3d8caps.dat2009-03-04 11:46 . 2009-03-04 11:46 <DIR> d-------- c:\documents and settings\HP_Administrator\DoctorWeb2009-03-03 19:29 . 2009-03-03 19:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com2009-03-03 19:21 . 2009-03-04 16:35 <DIR> d-------- c:\program files\SUPERAntiSpyware2009-03-03 19:21 . 2009-03-04 16:35 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com2009-03-03 19:21 . 2009-03-03 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-03-03 17:34 . 2009-03-05 08:41 54,156 --ah----- c:\windows\QTFont.qfn2009-03-03 17:34 . 2009-03-03 17:34 1,409 --a------ c:\windows\QTFont.for2009-03-03 17:30 . 2009-03-03 17:46 345 --a------ c:\windows\gmer.ini2009-03-03 13:47 . 2009-03-03 13:47 <DIR> d-------- c:\program files\Avira2009-03-03 13:47 . 2009-03-03 13:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira2009-03-03 10:23 . 2009-03-03 13:33 <DIR> d-------- c:\program files\Alwil Software2009-03-02 10:39 . 2009-03-02 10:39 <DIR> d--hs---- c:\documents and settings\LocalService\UserData2009-03-02 10:39 . 2009-03-02 10:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!2009-03-02 08:53 . 2009-03-02 08:53 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes2009-03-02 07:40 . 2009-03-02 07:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HPQ2009-03-01 18:49 . 2009-03-01 18:49 <DIR> d-------- c:\program files\Trend Micro2009-03-01 17:06 . 2009-03-01 17:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-01 17:06 . 2009-03-01 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-01 17:06 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-01 17:06 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-04 22:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard2009-03-03 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee2009-03-02 15:53 --------- d-----w c:\program files\eSoftware2009-01-26 20:27 --------- d-----w c:\program files\Viewpoint2009-01-26 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint2009-01-25 23:46 0 --sha-w c:\documents and settings\HP_Administrator\Application Data\0000000000t.dat.((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))).----a-w 61,440 2005-02-02 21:44:24 c:\hp\KBD\bak\KBD.EXE----a-r 313,472 2006-03-30 22:45:08 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe----a-w 180,269 2006-02-28 04:25:56 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe----a-w 245,760 2005-02-25 23:34:02 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe----a-w 49,152 2005-06-02 06:35:56 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe----a-w 49,152 2006-02-19 07:41:10 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe----a-w 49,152 2006-02-19 07:41:10 c:\program files\HP\HP Software Update\hpwuSchd2.exe----a-w 270,648 2007-07-10 14:18:20 c:\program files\iTunes\bak\iTunesHelper.exe----a-w 270,648 2007-07-10 14:18:20 c:\program files\iTunes\iTunesHelper.exe----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\qttask.exe----a-w 4,670,704 2007-08-30 23:43:18 c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe----a-w 4,670,704 2007-08-30 22:43:18 c:\program files\Yahoo!\Messenger\YahooMessenger.exe----a-w 64,512 2005-08-05 21:56:34 c:\windows\ehome\bak\ehtray.exe----a-w 64,512 2005-08-05 21:56:34 c:\windows\ehome\ehtray.exe----a-w 15,360 2004-08-10 05:00:00 c:\windows\system32\bak\ctfmon.exe----a-w 15,360 2004-08-10 05:00:00 c:\windows\system32\ctfmon.exe----a-w 77,824 2005-07-19 18:06:12 c:\windows\system32\bak\hkcmd.exe----a-w 114,688 2005-07-19 18:10:06 c:\windows\system32\bak\igfxpers.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]"RTHDCPL"="RTHDCPL.EXE" [2005-08-18 c:\windows\RTHDCPL.EXE]"PCDrProfiler"="" [N/A]c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-02-27 36903][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\AIM\\aim.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cd01ee4-2f04-11da-b6f4-806d6172696f}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480.Contents of the 'Scheduled Tasks' folder2009-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]2009-03-02 c:\windows\Tasks\HPCeeSchedule.job- c:\progra~1\EASYIN~1\Ceement\HPCEE.exe [2005-05-24 11:46]2009-03-04 c:\windows\Tasks\Symantec NetDetect.job- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 14:24].- - - - ORPHANS REMOVED - - - -Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dllWebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll.------- Supplementary Scan -------.uStart Page = hxxp://www.yahoo.com/mailuDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduseruSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7cmStart Page = hxxp://www.yahoo.commSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comIE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.htmlIE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlIE: &SearchIE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlIE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlIE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlIE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-05 08:41:45Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs]@DACL=(02 0000)@="{571715D7-3395-4DF0-B43C-784836209E60}".------------------------ Other Running Processes ------------------------.c:\program files\Lavasoft\Ad-Aware\aawservice.exec:\program files\Avira\AntiVir PersonalEdition Classic\sched.exec:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\windows\arservice.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\windows\ehome\mcrdsvc.exec:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exec:\program files\HP\Digital Imaging\bin\hpqste08.exec:\windows\ehome\ehmsas.exec:\program files\iPod\bin\iPodService.exec:\windows\system32\dllhost.exe.**************************************************************************.Completion time: 2009-03-05 8:45:37 - machine was rebootedComboFix-quarantined-files.txt 2009-03-05 14:45:34Pre-Run: 223,573,299,200 bytes freePost-Run: 223,500,693,504 bytes free188 --- E O F --- 2009-01-15 09:01:06 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 6, 2009 Root Admin ID:61896 Share Posted March 6, 2009 Okay you still have some infected entries but hopefully you can install MBAM and update it and have it automatically corrected by MBAM.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log. Link to post Share on other sites More sharing options...
bruiser9999 Posted March 6, 2009 Author ID:61906 Share Posted March 6, 2009 Malwarebytes' Anti-Malware 1.34Database version: 1822Windows 5.1.2600 Service Pack 23/5/2009 9:23:55 PMmbam-log-2009-03-05 (21-23-55).txtScan type: Quick ScanObjects scanned: 70054Time elapsed: 2 minute(s), 54 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:24:22 PM, on 3/5/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Updates from HP\9972322\Program\Updates from HP.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\svchost.exec:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dllO2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXEO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -uO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exeO9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htmO9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeO23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe--End of file - 8060 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 6, 2009 Root Admin ID:61912 Share Posted March 6, 2009 You still have an infection there but due to how it was implemented it is typically more in the area of a Virus scanner to detect it.I'm afraid that a Virus scanner might not correct it properly though as I've not tried it. So give me some time please and I'll try to write up a repair/removal method for it.If I've not replied back to you within about 36 hours please post a reply for review. Sometimes I get tied up with other posts and work. Link to post Share on other sites More sharing options...
bruiser9999 Posted March 6, 2009 Author ID:61914 Share Posted March 6, 2009 I understand. Thank you very much for your time. I will speak with you in a few days. Thank you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 7, 2009 Root Admin ID:62315 Share Posted March 7, 2009 Okay you have a Downloader-AWF infection that McAfee was one of the first to find years ago so I'm assuming they can properly clean it.They might not have been able to get to it due to some of the other problems on your computer that have since been cleaned.Let's do the following please.Remove all but the most recent Restore Point on Windows XPYou should Create a New Restore Point to prevent possible reinfection from an old one.Some of the malware you picked up could have been saved in System Restore.Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.The easiest and safest way to do this is:Go to Start > Programs > Accessories > System Tools and click "System Restore".If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OKChoose the radio button marked "Create a Restore Point" on the first screen then click "Next".Give the new Restore Point a name, then click "Create".The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.Then use the Disk Cleanup to remove all but the most recently created Restore Point.Go to Start > Run and type: Cleanmgr.exeSelect the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.Click the "More Options" tab, then click the "Clean up" button under System Restore.Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"Click Yes, then click Ok.Click Yes again when prompted with "Are you sure you want to perform these actions?"Disk Cleanup will remove the files and close automatically.On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.Additional informationMicrosoft KB article: How to turn off and turn on System Restore in Windows XPBert Kinney's site: All about Windows System RestoreThen start your McAfee program and UPDATE it to the latest version and do a FULL SYSTEM scan and let me know what it finds please.We'll go from there depending on what it finds. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 18, 2009 Root Admin ID:65382 Share Posted March 18, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts