Jump to content

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:08:06 AM, on 7/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\MAKTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\MAKHKEY.EXE

C:\Documents and Settings\vickie\Desktop\newHiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {0036079F-508E-4910-B582-896A7E3A28Ae} - C:\WINDOWS\system32\hqsfwlwj.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: (no name) - {D7F90E0D-BE1F-4F9E-96DE-AE54B9C6BFC5} - c:\windows\system32\csnmgrw.dll

O2 - BHO: (no name) - {oldD7F90E0D-BE1F-4F9E-96DE-AE54B9C6BFC5} - (no file)

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [igfxTray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [MAKTray] "MAKTray.exe"

O4 - HKLM\..\Run: [setRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/cssrelease/bin/wizard.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195766371890

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: ujwdpphr - C:\WINDOWS\SYSTEM32\csnmgrw.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 6754 bytes

Malwarebytes' Anti-Malware 1.39

Database version: 2489

Windows 5.1.2600 Service Pack 2

7/24/2009 9:38:31 AM

mbam-log-2009-07-24 (09-38-31).txt

Scan type: Full Scan (C:\|)

Objects scanned: 179442

Time elapsed: 23 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\hqsfwlwj.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\csnmgrw.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7f90e0d-be1f-4f9e-96de-ae54b9c6bfc5} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ujwdpphr (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{d7f90e0d-be1f-4f9e-96de-ae54b9c6bfc5} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0036079f-508e-4910-b582-896a7e3a28ae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0036079f-508e-4910-b582-896a7e3a28ae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0036079f-508e-4910-b582-896a7e3a28ae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wtcvssyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wtcvssyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wtcvssyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7f90e0d-be1f-4f9e-96de-ae54b9c6bfc5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\csnmgrw.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\hqsfwlwj.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\pkmpqua.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Hello & Welcome to Malwarebytes'

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Options, then click Track this topic. Make sure it is set to Immediate Email Notification, then click Proceed.

In the meantime please note the following:

  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

DDS

Download DDS.scr by sUBs from one of the following links & save it to your desktop.

Link 1

Link 2

  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    th_Gmer_initScan.gif
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:

Contents of DDS log

Contents of Attach.txt

Contents of Gmer log

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:08:06 AM, on 7/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\MAKTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\MAKHKEY.EXE

C:\Documents and Settings\vickie\Desktop\newHiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {0036079F-508E-4910-B582-896A7E3A28Ae} - C:\WINDOWS\system32\hqsfwlwj.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: (no name) - {D7F90E0D-BE1F-4F9E-96DE-AE54B9C6BFC5} - c:\windows\system32\csnmgrw.dll

O2 - BHO: (no name) - {oldD7F90E0D-BE1F-4F9E-96DE-AE54B9C6BFC5} - (no file)

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [igfxTray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [MAKTray] "MAKTray.exe"

O4 - HKLM\..\Run: [setRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/cssrelease/bin/wizard.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195766371890

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: ujwdpphr - C:\WINDOWS\SYSTEM32\csnmgrw.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 6754 bytes

Malwarebytes' Anti-Malware 1.39

Database version: 2489

Windows 5.1.2600 Service Pack 2

7/24/2009 9:38:31 AM

mbam-log-2009-07-24 (09-38-31).txt

Scan type: Full Scan (C:\|)

Objects scanned: 179442

Time elapsed: 23 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\hqsfwlwj.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\csnmgrw.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7f90e0d-be1f-4f9e-96de-ae54b9c6bfc5} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ujwdpphr (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{d7f90e0d-be1f-4f9e-96de-ae54b9c6bfc5} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0036079f-508e-4910-b582-896a7e3a28ae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0036079f-508e-4910-b582-896a7e3a28ae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0036079f-508e-4910-b582-896a7e3a28ae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wtcvssyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wtcvssyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wtcvssyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7f90e0d-be1f-4f9e-96de-ae54b9c6bfc5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\csnmgrw.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\hqsfwlwj.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\pkmpqua.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Your Instructions said to run dds and post BOTH logs- the command box instructions said to attach the attach file so I will try that first. I hope that I am doing this correctly!

DDS (Ver_09-06-26.01) - NTFSx86

Run by vickie at 15:16:17.32 on Sat 07/25/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.686 [GMT -4:00]

AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\MAKTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\MAKHKEY.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\vickie\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Connection Wizard,ShellNext = iexplore

mSearchAssistant = hxxp://www.google.com/ie

mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

BHO: {0036079f-508e-4910-b582-896a7e3a28ae} - c:\windows\system32\hqsfwlwj.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: : {d7f90e0d-be1f-4f9e-96de-ae54b9c6bfc5} - c:\windows\system32\csnmgrw.dll

TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

mRun: [igfxTray] "c:\windows\system32\igfxtray.exe"

mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"

mRun: [smapp] c:\program files\analog devices\soundmax\SMTray.exe

mRun: [MAKTray] "MAKTray.exe"

mRun: [setRefresh] "c:\program files\compaq\setrefresh\SetRefresh.exe"

IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195766371890

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Notify: igfxcui - igfxsrvc.dll

Notify: ujwdpphr - csnmgrw.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 olliwava;olliwava;c:\windows\system32\drivers\olliwava.sys [2001-8-17 23424]

R2 wtcvssyn;CD-Burning Filter Support;c:\windows\system32\svchost.exe -k netsvcs [2009-3-1 14336]

S0 erwcn;erwcn;c:\windows\system32\drivers\ncfia.sys --> c:\windows\system32\drivers\ncfIa.sys [?]

S0 hfqyoog;hfqyoog;c:\windows\system32\drivers\oonl.sys --> c:\windows\system32\drivers\oonl.sys [?]

S0 hhphIsq;hhphIsq;c:\windows\system32\drivers\puqkhcyx.sys --> c:\windows\system32\drivers\puqkhcyx.sys [?]

=============== Created Last 30 ================

2009-07-24 10:06 <DIR> --d----- c:\program files\Trend Micro

2009-07-24 08:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-07-24 07:27 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll

2009-07-24 07:27 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-07-24 07:27 17,408 a------- c:\windows\system32\dllcache\xrxscnui.dll

2009-07-24 07:27 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe

2009-07-24 07:27 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe

2009-07-24 07:25 363,520 a------- c:\windows\system32\dllcache\w3svc.dll

2009-07-24 07:24 50,688 a------- c:\windows\system32\dllcache\umaxscan.dll

2009-07-24 07:23 31,232 a------- c:\windows\system32\dllcache\tools.dll

2009-07-24 07:22 46,592 a------- c:\windows\system32\dllcache\sspifilt.dll

2009-07-24 07:21 38,912 a------- c:\windows\system32\dllcache\sm9aw.dll

2009-07-24 07:20 6,912 a------- c:\windows\system32\dllcache\seaddsmc.sys

2009-07-24 07:19 26,624 a------- c:\windows\system32\dllcache\rw330ext.dll

2009-07-24 07:18 5,632 a------- c:\windows\system32\dllcache\ptpusb.dll

2009-07-24 07:17 41,984 a------- c:\windows\system32\dllcache\ovui2rc.dll

2009-07-24 07:16 53,248 a------- c:\windows\system32\dllcache\nextlink.dll

2009-07-24 07:15 35,200 a------- c:\windows\system32\dllcache\msgame.sys

2009-07-24 07:14 727,786 a------- c:\windows\system32\dllcache\ltck000c.sys

2009-07-24 07:13 145,408 a------- c:\windows\system32\dllcache\iische51.dll

2009-07-24 07:12 115,807 a------- c:\windows\system32\dllcache\hsf_fsks.sys

2009-07-24 07:11 320,384 a------- c:\windows\system32\dllcache\g200m.sys

2009-07-24 07:10 53,248 a------- c:\windows\system32\dllcache\eqndiag.exe

2009-07-24 07:09 419,357 a------- c:\windows\system32\dllcache\dgconfig.dll

2009-07-24 07:08 164,923 a------- c:\windows\system32\dllcache\diapi2.sys

2009-07-24 07:07 96,128 a------- c:\windows\system32\dllcache\ati.dll

2009-07-20 18:40 21,208,064 a------- c:\windows\system32\SBSP.dat

2009-07-20 18:40 4,345 a------- c:\windows\system32\SBFC.dat

2009-07-20 18:40 360 a------- c:\windows\system32\SBRC.dat

2009-07-20 16:37 <DIR> --d----- c:\docume~1\vickie\applic~1\Malwarebytes

2009-07-19 12:47 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-19 12:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-07-19 12:47 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-07-19 12:47 <DIR> --d----- c:\program files\fixmycomputer

2009-07-19 08:03 <DIR> --d----- C:\VundoFix Backups

2009-07-18 13:31 <DIR> --d----- c:\program files\NortonInstaller

2009-07-18 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

2009-07-18 10:20 <DIR> --d----- c:\program files\MSSOAP

2009-07-18 10:20 <DIR> --d----- c:\program files\Webroot

2009-07-16 18:35 <DIR> --d----- c:\windows\system32\appmgmt

2009-07-13 07:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\17006404

2009-07-05 02:28 30,452 a---h--- c:\windows\system32\mlfcache.dat

2009-07-02 12:58 <DIR> --d----- c:\docume~1\vickie\applic~1\kinocbnj

2009-06-30 17:57 <DIR> --d----- c:\windows\pss

2009-06-30 17:51 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 10:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll

2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll

2009-06-16 10:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll

2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll

2009-06-03 15:27 1,290,752 a------- c:\windows\system32\dllcache\quartz.dll

2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll

2009-05-07 11:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll

2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll

2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll

2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll

2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll

2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll

2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll

2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll

2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll

2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll

2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll

2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll

2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe

2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

============= FINISH: 15:16:46.40 ===============

Attach.zip

Attach.zip

Link to post
Share on other sites

Hi

Your Instructions said to run dds and post BOTH logs
Yes... makes it easier for me to read. So if I could ask you to copy the contents of any logs & paste directly into your posts. Please don't attach logs unless I specifically request it.

Thanks

What about Gmer... how did you go with that?

Link to post
Share on other sites

Sorry here is the last log GMER.TXT

GMER 1.0.15.14972 - http://www.gmer.net

Rootkit scan 2009-07-25 17:26:28

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

Code 86BEECA0 ZwEnumerateKey

Code 86DE0710 ZwFlushInstructionCache

Code 86BF1C9E IofCallDriver

Code 86EA666E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys (*** hidden *** ) [sYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXxjcyuocbdawooybasboalsqkynektqvq.dll

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXckjpuyfvvffxldwkxejyrpskekbgyijf.dll

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXxjcyuocbdawooybasboalsqkynektqvq.dll

Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXckjpuyfvvffxldwkxejyrpskekbgyijf.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXxjcyuocbdawooybasboalsqkynektqvq.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXckjpuyfvvffxldwkxejyrpskekbgyijf.dll

---- Files - GMER 1.0.15 ----

File C:\Avenger\MSIVXcount 4 bytes

File C:\Avenger\MSIVXcount-ren-260 4 bytes

File C:\Avenger\MSIVXcount-ren-263 4 bytes

File C:\Avenger\MSIVXcount-ren-311 4 bytes

File C:\Avenger\MSIVXcount-ren-344 4 bytes

File C:\WINDOWS\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys 73216 bytes executable <-- ROOTKIT !!!

File C:\WINDOWS\system32\MSIVXckjpuyfvvffxldwkxejyrpskekbgyijf.dll 52224 bytes executable

File C:\WINDOWS\system32\MSIVXcount 4 bytes

File C:\WINDOWS\system32\MSIVXxjcyuocbdawooybasboalsqkynektqvq.dll 22528 bytes executable

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Here is that Attach log file- thanks!!!

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 6/6/2007 9:17:14 AM

System Uptime: 7/25/2009 3:11:54 PM (0 hours ago)

Motherboard: Hewlett-Packard | | 0968h

Processor: Intel® Pentium® 4 CPU 3.60GHz | XU1 PROCESSOR | 3591/800mhz

Processor: Intel® Pentium® 4 CPU 3.60GHz | XU1 PROCESSOR | 3591/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 122.599 GiB free.

D: is CDROM ()

E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.1

Adobe Shockwave Player

Adobe

Link to post
Share on other sites

Hi

I see your Anti-Virus Suite is outdated. Any reason for that?

AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}

ComboFix

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):

Link 1

Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:

ComboFix log

New HijackThis log

Update on how the computer is running

Link to post
Share on other sites

it seems to have started around the same time as the infection- on boot Cox Security Suite activation windows pops up but it will not recognize the username and password- we even called Cox who reset the password and it still wouldn't work- I was thinking perhaps the malware was to blame- I will try downloading it again to see if I can get it installed correctly- Using combofix is there a chance that we will lose existing files on the hard drive?

Link to post
Share on other sites

Hi

ComboFix is quite safe when you used by people trained in it's use.

However having said that please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Link to post
Share on other sites

Hi

Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):

Link 1

Link 2

**IMPORTANT !!! RENAME ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:

ComboFix log

Update on how the computer is running

Link to post
Share on other sites

ComboFix log

ComboFix 09-07-27.02 - vickie 07/27/2009 18:26.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.751 [GMT -4:00]

Running from: c:\documents and settings\vickie\Desktop\Commy.exe

AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\vickie\Desktop\files.exe

c:\recycler\S-1-5-21-2327759443-965293660-3012689122-500

c:\windows\system32\csnmgrw.dll

c:\windows\system32\drivers\MSIVXpvakydnmnmdddpevxuhtitjiyojdkjgq.sys

c:\windows\system32\drivers\olliwava.sys

c:\windows\system32\drivers\qutndkxb.sys

c:\windows\system32\hqsfwlwj.dll

c:\windows\system32\MSIVXckjpuyfvvffxldwkxejyrpskekbgyijf.dll

c:\windows\system32\MSIVXcount

c:\windows\system32\MSIVXxjcyuocbdawooybasboalsqkynektqvq.dll

c:\windows\system32\pkmpqua.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_MSIVXserv.sys

-------\Legacy_OLLIWAVA

-------\Legacy_WTCVSSYN

-------\Service_olliwava

-------\Service_wtcvssyn

((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))

.

2009-07-26 13:37 . 2009-07-26 13:43 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Adobe

2009-07-26 13:05 . 2009-07-26 13:05 -------- d-----w- C:\331bb30f799681dcd0f6c13e

2009-07-26 13:05 . 2009-07-26 13:20 -------- d-----w- c:\windows\SxsCaPendDel

2009-07-24 14:06 . 2009-07-24 14:06 -------- d-----w- c:\program files\Trend Micro

2009-07-24 12:01 . 2009-07-24 12:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-24 11:27 . 2004-08-04 04:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2009-07-24 11:27 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-07-24 11:27 . 2001-08-18 02:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll

2009-07-24 11:27 . 2001-08-18 02:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe

2009-07-24 11:27 . 2001-08-18 02:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe

2009-07-24 11:25 . 2004-08-04 12:00 73728 ----a-w- c:\windows\system32\dllcache\w3ext.dll

2009-07-24 11:24 . 2001-08-18 02:36 50688 ----a-w- c:\windows\system32\dllcache\umaxscan.dll

2009-07-24 11:23 . 2004-08-04 12:00 31232 ----a-w- c:\windows\system32\dllcache\tools.dll

2009-07-24 11:22 . 2004-08-04 12:00 46592 ----a-w- c:\windows\system32\dllcache\sspifilt.dll

2009-07-24 11:21 . 2004-08-04 12:00 38912 ----a-w- c:\windows\system32\dllcache\sm9aw.dll

2009-07-24 11:20 . 2001-08-17 17:53 6912 ----a-w- c:\windows\system32\dllcache\seaddsmc.sys

2009-07-24 11:19 . 2004-08-04 12:00 26624 ----a-w- c:\windows\system32\dllcache\rw330ext.dll

2009-07-24 11:18 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\dllcache\ptpusb.dll

2009-07-24 11:17 . 2001-08-18 02:36 41984 ----a-w- c:\windows\system32\dllcache\ovui2rc.dll

2009-07-24 11:16 . 2004-08-04 12:00 53248 ----a-w- c:\windows\system32\dllcache\nextlink.dll

2009-07-24 11:15 . 2001-08-17 18:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys

2009-07-24 11:14 . 2004-08-04 12:00 22528 ----a-w- c:\windows\system32\dllcache\lpdsvc.dll

2009-07-24 11:13 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\dllcache\iislog51.dll

2009-07-24 11:12 . 2001-08-17 17:28 115807 ----a-w- c:\windows\system32\dllcache\hsf_fsks.sys

2009-07-24 11:11 . 2001-08-17 16:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys

2009-07-24 11:10 . 2001-08-18 02:36 53248 ----a-w- c:\windows\system32\dllcache\eqndiag.exe

2009-07-24 11:09 . 2001-08-18 02:36 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll

2009-07-24 11:08 . 2004-08-04 12:00 54528 ----a-w- c:\windows\system32\dllcache\cap7146.sys

2009-07-24 11:07 . 2004-08-04 12:00 29184 ----a-w- c:\windows\system32\dllcache\asptxn.dll

2009-07-21 20:55 . 2009-07-21 20:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-20 22:40 . 2009-07-20 22:44 21208064 ----a-w- c:\windows\system32\SBSP.dat

2009-07-20 22:40 . 2009-07-20 22:44 4345 ----a-w- c:\windows\system32\SBFC.dat

2009-07-20 22:40 . 2009-07-20 22:43 360 ----a-w- c:\windows\system32\SBRC.dat

2009-07-20 20:37 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\vickie\Application Data\Malwarebytes

2009-07-19 16:47 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-19 16:47 . 2009-07-19 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-19 16:47 . 2009-07-24 12:01 -------- d-----w- c:\program files\fixmycomputer

2009-07-19 16:47 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-19 12:03 . 2009-07-20 21:05 -------- d-----w- C:\VundoFix Backups

2009-07-18 17:31 . 2009-07-19 15:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\program files\NortonInstaller

2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-07-18 17:31 . 2009-07-18 17:31 6366816 ----a-w- c:\documents and settings\All Users\Application Data\Google Updater\cache\packdata_ci_ns_2.3.0.44_en_setup.exe

2009-07-18 17:30 . 2009-07-18 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-18 14:20 . 2009-07-18 14:20 -------- d-----w- c:\program files\MSSOAP

2009-07-18 14:20 . 2009-07-18 14:20 -------- d-----w- c:\program files\Webroot

2009-07-17 22:53 . 2009-07-17 22:53 -------- d-----w- c:\documents and settings\JBrisco\Local Settings\Application Data\AOL

2009-07-17 22:50 . 2009-07-17 22:50 -------- d-----w- c:\documents and settings\JBrisco\Application Data\Sunbelt Software

2009-07-15 21:57 . 2009-07-15 21:57 -------- d-----w- c:\documents and settings\JBrisco\Local Settings\Application Data\Windows Live Writer

2009-07-15 21:56 . 2009-07-15 21:56 -------- d-----w- c:\documents and settings\JBrisco\Local Settings\Application Data\Google

2009-07-15 21:55 . 2009-07-15 21:55 29080 ----a-w- c:\documents and settings\JBrisco\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-15 21:54 . 2009-07-15 21:54 -------- d-----w- c:\documents and settings\JBrisco\Application Data\Share-to-Web Upload Folder

2009-07-13 14:42 . 2009-07-13 14:42 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\AOL

2009-07-13 14:41 . 2009-07-13 14:41 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Windows Live Writer

2009-07-13 14:41 . 2009-07-14 22:17 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Google

2009-07-13 11:51 . 2009-07-20 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\17006404

2009-07-07 18:01 . 2009-07-07 18:14 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Application Data\Apple Computer

2009-07-07 18:01 . 2009-07-07 18:14 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Apple Computer

2009-07-07 18:01 . 2009-07-07 18:01 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Application Data\Sunbelt Software

2009-07-07 18:01 . 2009-07-07 18:01 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Application Data\Share-to-Web Upload Folder

2009-07-05 06:28 . 2009-07-05 06:28 30452 ---ha-w- c:\windows\system32\mlfcache.dat

2009-07-02 16:58 . 2009-07-02 16:58 -------- d-----w- c:\documents and settings\vickie\Local Settings\Application Data\kinocbnj

2009-07-02 16:58 . 2009-07-02 16:58 -------- d-----w- c:\documents and settings\vickie\Application Data\kinocbnj

2009-06-30 21:51 . 2009-06-30 21:52 -------- d-----w- c:\program files\CCleaner

2009-06-29 12:52 . 2009-06-29 12:52 -------- d-----w- c:\documents and settings\vickie\Application Data\acccore

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-26 15:41 . 2007-10-11 12:27 29080 ----a-w- c:\documents and settings\vickie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-24 11:48 . 2007-06-06 21:28 -------- d-----w- c:\program files\Common Files\Authentium Shared

2009-07-21 22:48 . 2009-07-27 21:06 170920 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2009-07-18 17:30 . 2007-08-23 20:06 -------- d-----w- c:\program files\Google

2009-07-16 22:39 . 2007-06-07 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-06-30 21:49 . 2008-02-18 23:53 -------- d-----w- c:\program files\Norton Security Scan

2009-06-16 14:55 . 2009-03-01 20:16 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2009-03-01 20:16 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 03:02 . 2008-02-19 14:49 -------- d-----w- c:\documents and settings\vickie\Application Data\Apple Computer

2009-06-03 19:27 . 2009-03-01 20:16 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-19 05:36 . 2009-06-15 15:17 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe

2009-05-19 05:36 . 2009-06-15 15:17 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat

2009-05-19 05:36 . 2009-06-15 15:17 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe

2009-05-19 05:36 . 2009-06-15 15:17 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat

2009-05-19 05:36 . 2009-06-15 15:17 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe

2009-05-19 05:36 . 2009-06-15 15:17 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe

2009-05-19 05:36 . 2009-06-15 15:17 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe

2009-05-19 05:36 . 2009-06-15 15:17 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll

2009-05-07 15:44 . 2009-03-01 20:16 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:56 . 2004-08-04 07:56 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2009-03-01 20:17 78336 ----a-w- c:\windows\system32\ieencode.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"MAKTray"="MAKTray.exe" - c:\windows\MAKTray.exe [2004-08-28 287232]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SBBD.exe \Device\HarddiskVolume1\WINDOWS\system32\SBFC.dat -d \Device\HarddiskVolume1\WINDOWS\system32\SBSP.dat

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pocket Tanks\\pockettanks.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 erwcn;erwcn;c:\windows\system32\drivers\ncfIa.sys --> c:\windows\system32\drivers\ncfIa.sys [?]

S0 hfqyoog;hfqyoog;c:\windows\system32\drivers\oonl.sys --> c:\windows\system32\drivers\oonl.sys [?]

S0 hhphIsq;hhphIsq;c:\windows\system32\drivers\puqkhcyx.sys --> c:\windows\system32\drivers\puqkhcyx.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - OLLIWAVA

*Deregistered* - olliwava

.

Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-07-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-23 17:30]

2009-07-24 c:\windows\Tasks\Norton Security Scan.job

- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 21:49]

.

- - - - ORPHANS REMOVED - - - -

BHO-{001B03CF-508E-4910-B582-896A7E3A28Ae} - c:\windows\system32\hqsfwlwj.dll

BHO-{003008D3-0310-40D2-9BA8-FEA7151C17B0} - c:\windows\system32\hqsfwlwj.dll

BHO-{0036079F-508E-4910-B582-896A7E3A28Ae} - c:\windows\system32\hqsfwlwj.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

Notify-dimsntfy - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Connection Wizard,ShellNext = iexplore

IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe

.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-27 18:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2412)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-07-27 18:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-27 22:44

Pre-Run: 131,251,908,608 bytes free

Post-Run: 132,127,547,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221 --- E O F --- 2009-07-27 20:40

Update on how the computer is running - should I run Malwarebytes again or is it fixed?

Link to post
Share on other sites

Hi

Still a bit to do. We'll hold off on Malwarebytes for bit.

CFScript

Close any open browsers.

Open notepad and copy/paste the text in the code box below into it:

Driver::erwcnhfqyooghhphIsqCollect::c:\windows\system32\drivers\ncfIa.sysc:\windows\system32\drivers\oonl.sysc:\windows\system32\drivers\puqkhcyx.sysFolder::C:\VundoFix BackupsDirLook::C:\331bb30f799681dcd0f6c13ec:\documents and settings\vickie\Local Settings\Application Data\kinocbnjc:\documents and settings\vickie\Application Data\kinocbnj

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Let me know if the Upload was successful.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.

  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel

Kaspersky Online Scan

Do an online scan with >Kaspersky Online Scanner<

  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan

    [*]Once the scan is complete, it will display the results. Click on View Scan Report

    [*]You will see a list of infected items there. Click on Save Report As...

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button

    [*]Please post this log in your next reply

Pictured tutorial if required.

To post in next reply:

ComboFix log

Kaspersky Scan log

Link to post
Share on other sites

Here are the two log files- thanks in advance!

Combifix

ComboFix 09-07-27.02 - vickie 07/28/2009 16:44.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.721 [GMT -4:00]

Running from: c:\documents and settings\vickie\Desktop\Commy.exe

Command switches used :: c:\documents and settings\vickie\Desktop\CFScript.txt

AV: Cox Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\VundoFix Backups

c:\vundofix backups\addmorefiles.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_erwcn

-------\Service_hfqyoog

-------\Service_hhphIsq

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-28 )))))))))))))))))))))))))))))))

.

2009-07-26 13:37 . 2009-07-26 13:43 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Adobe

2009-07-26 13:05 . 2009-07-26 13:05 -------- d-----w- C:\331bb30f799681dcd0f6c13e

2009-07-26 13:05 . 2009-07-26 13:20 -------- d-----w- c:\windows\SxsCaPendDel

2009-07-24 14:06 . 2009-07-24 14:06 -------- d-----w- c:\program files\Trend Micro

2009-07-24 12:01 . 2009-07-24 12:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-24 11:27 . 2004-08-04 04:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2009-07-24 11:27 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-07-24 11:27 . 2001-08-18 02:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll

2009-07-24 11:27 . 2001-08-18 02:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe

2009-07-24 11:27 . 2001-08-18 02:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe

2009-07-24 11:25 . 2004-08-04 12:00 73728 ----a-w- c:\windows\system32\dllcache\w3ext.dll

2009-07-24 11:24 . 2001-08-18 02:36 50688 ----a-w- c:\windows\system32\dllcache\umaxscan.dll

2009-07-24 11:23 . 2004-08-04 12:00 31232 ----a-w- c:\windows\system32\dllcache\tools.dll

2009-07-24 11:22 . 2004-08-04 12:00 46592 ----a-w- c:\windows\system32\dllcache\sspifilt.dll

2009-07-24 11:21 . 2004-08-04 12:00 38912 ----a-w- c:\windows\system32\dllcache\sm9aw.dll

2009-07-24 11:20 . 2001-08-17 17:53 6912 ----a-w- c:\windows\system32\dllcache\seaddsmc.sys

2009-07-24 11:19 . 2004-08-04 12:00 26624 ----a-w- c:\windows\system32\dllcache\rw330ext.dll

2009-07-24 11:18 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\dllcache\ptpusb.dll

2009-07-24 11:17 . 2001-08-18 02:36 41984 ----a-w- c:\windows\system32\dllcache\ovui2rc.dll

2009-07-24 11:16 . 2004-08-04 12:00 53248 ----a-w- c:\windows\system32\dllcache\nextlink.dll

2009-07-24 11:15 . 2001-08-17 18:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys

2009-07-24 11:14 . 2004-08-04 12:00 22528 ----a-w- c:\windows\system32\dllcache\lpdsvc.dll

2009-07-24 11:13 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\dllcache\iislog51.dll

2009-07-24 11:12 . 2001-08-17 17:28 115807 ----a-w- c:\windows\system32\dllcache\hsf_fsks.sys

2009-07-24 11:11 . 2001-08-17 16:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys

2009-07-24 11:10 . 2001-08-18 02:36 53248 ----a-w- c:\windows\system32\dllcache\eqndiag.exe

2009-07-24 11:09 . 2001-08-18 02:36 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll

2009-07-24 11:08 . 2004-08-04 12:00 54528 ----a-w- c:\windows\system32\dllcache\cap7146.sys

2009-07-24 11:07 . 2004-08-04 12:00 29184 ----a-w- c:\windows\system32\dllcache\asptxn.dll

2009-07-21 20:55 . 2009-07-21 20:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-20 22:40 . 2009-07-20 22:44 21208064 ----a-w- c:\windows\system32\SBSP.dat

2009-07-20 22:40 . 2009-07-20 22:44 4345 ----a-w- c:\windows\system32\SBFC.dat

2009-07-20 22:40 . 2009-07-20 22:43 360 ----a-w- c:\windows\system32\SBRC.dat

2009-07-20 20:37 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\vickie\Application Data\Malwarebytes

2009-07-19 16:47 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-19 16:47 . 2009-07-19 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-19 16:47 . 2009-07-24 12:01 -------- d-----w- c:\program files\fixmycomputer

2009-07-19 16:47 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-18 17:31 . 2009-07-19 15:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\program files\NortonInstaller

2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-07-18 17:31 . 2009-07-18 17:31 6366816 ----a-w- c:\documents and settings\All Users\Application Data\Google Updater\cache\packdata_ci_ns_2.3.0.44_en_setup.exe

2009-07-18 17:30 . 2009-07-18 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-18 14:20 . 2009-07-18 14:20 -------- d-----w- c:\program files\MSSOAP

2009-07-18 14:20 . 2009-07-18 14:20 -------- d-----w- c:\program files\Webroot

2009-07-17 22:53 . 2009-07-17 22:53 -------- d-----w- c:\documents and settings\JBrisco\Local Settings\Application Data\AOL

2009-07-17 22:50 . 2009-07-17 22:50 -------- d-----w- c:\documents and settings\JBrisco\Application Data\Sunbelt Software

2009-07-15 21:57 . 2009-07-15 21:57 -------- d-----w- c:\documents and settings\JBrisco\Local Settings\Application Data\Windows Live Writer

2009-07-15 21:56 . 2009-07-15 21:56 -------- d-----w- c:\documents and settings\JBrisco\Local Settings\Application Data\Google

2009-07-15 21:55 . 2009-07-15 21:55 29080 ----a-w- c:\documents and settings\JBrisco\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-15 21:54 . 2009-07-15 21:54 -------- d-----w- c:\documents and settings\JBrisco\Application Data\Share-to-Web Upload Folder

2009-07-13 14:42 . 2009-07-13 14:42 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\AOL

2009-07-13 14:41 . 2009-07-13 14:41 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Windows Live Writer

2009-07-13 14:41 . 2009-07-14 22:17 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Google

2009-07-13 11:51 . 2009-07-20 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\17006404

2009-07-07 18:01 . 2009-07-07 18:14 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Application Data\Apple Computer

2009-07-07 18:01 . 2009-07-07 18:14 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Local Settings\Application Data\Apple Computer

2009-07-07 18:01 . 2009-07-07 18:01 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Application Data\Sunbelt Software

2009-07-07 18:01 . 2009-07-07 18:01 -------- d-----w- c:\documents and settings\Brisco.HP19373557314\Application Data\Share-to-Web Upload Folder

2009-07-05 06:28 . 2009-07-05 06:28 30452 ---ha-w- c:\windows\system32\mlfcache.dat

2009-07-02 16:58 . 2009-07-02 16:58 -------- d-----w- c:\documents and settings\vickie\Local Settings\Application Data\kinocbnj

2009-07-02 16:58 . 2009-07-02 16:58 -------- d-----w- c:\documents and settings\vickie\Application Data\kinocbnj

2009-06-30 21:51 . 2009-06-30 21:52 -------- d-----w- c:\program files\CCleaner

2009-06-29 12:52 . 2009-06-29 12:52 -------- d-----w- c:\documents and settings\vickie\Application Data\acccore

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-26 15:41 . 2007-10-11 12:27 29080 ----a-w- c:\documents and settings\vickie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-24 11:48 . 2007-06-06 21:28 -------- d-----w- c:\program files\Common Files\Authentium Shared

2009-07-21 22:48 . 2009-07-27 21:06 170920 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2009-07-18 17:30 . 2007-08-23 20:06 -------- d-----w- c:\program files\Google

2009-07-16 22:39 . 2007-06-07 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-06-30 21:49 . 2008-02-18 23:53 -------- d-----w- c:\program files\Norton Security Scan

2009-06-16 14:55 . 2009-03-01 20:16 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2009-03-01 20:16 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 03:02 . 2008-02-19 14:49 -------- d-----w- c:\documents and settings\vickie\Application Data\Apple Computer

2009-06-03 19:27 . 2009-03-01 20:16 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-19 05:36 . 2009-06-15 15:17 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe

2009-05-19 05:36 . 2009-06-15 15:17 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat

2009-05-19 05:36 . 2009-06-15 15:17 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe

2009-05-19 05:36 . 2009-06-15 15:17 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat

2009-05-19 05:36 . 2009-06-15 15:17 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe

2009-05-19 05:36 . 2009-06-15 15:17 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe

2009-05-19 05:36 . 2009-06-15 15:17 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe

2009-05-19 05:36 . 2009-06-15 15:17 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll

2009-05-07 15:44 . 2009-03-01 20:16 344064 ----a-w- c:\windows\system32\localspl.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\331bb30f799681dcd0f6c13e ----

2009-07-26 13:05 . 2008-06-19 05:33 72 ------w- c:\331bb30f799681dcd0f6c13e\amd64\msxpsinc.ppd

2009-07-26 13:05 . 2008-06-19 05:33 2204 ------w- c:\331bb30f799681dcd0f6c13e\i386\msxpsdrv.inf

2009-07-26 13:05 . 2008-06-19 15:03 73 ------w- c:\331bb30f799681dcd0f6c13e\i386\msxpsinc.gpd

2009-07-26 13:05 . 2008-06-19 05:33 72 ------w- c:\331bb30f799681dcd0f6c13e\i386\msxpsinc.ppd

2009-07-26 13:05 . 2008-06-19 05:33 2204 ------w- c:\331bb30f799681dcd0f6c13e\amd64\msxpsdrv.inf

2009-07-26 13:05 . 2008-07-06 12:06 10929 ------w- c:\331bb30f799681dcd0f6c13e\amd64\msxpsdrv.cat

2009-07-26 13:05 . 2008-07-06 12:06 10929 ------w- c:\331bb30f799681dcd0f6c13e\i386\msxpsdrv.cat

2009-07-26 13:05 . 2008-07-06 12:06 147456 ------w- c:\331bb30f799681dcd0f6c13e\amd64\filterpipelineprintproc.dll

2009-07-26 13:05 . 2008-07-06 12:06 89088 ------w- c:\331bb30f799681dcd0f6c13e\i386\filterpipelineprintproc.dll

2009-07-26 13:05 . 2008-07-06 12:06 765440 ------w- c:\331bb30f799681dcd0f6c13e\i386\mxdwdrv.dll

2009-07-26 13:05 . 2008-07-06 12:06 1676288 ------w- c:\331bb30f799681dcd0f6c13e\i386\xpssvcs.dll

2009-07-26 13:05 . 2008-07-06 12:06 748032 ------w- c:\331bb30f799681dcd0f6c13e\amd64\mxdwdrv.dll

2008-07-06 21:36 . 2008-07-06 21:36 2936832 ------w- c:\331bb30f799681dcd0f6c13e\amd64\xpssvcs.dll

2008-06-19 15:03 . 2008-06-19 15:03 73 ------w- c:\331bb30f799681dcd0f6c13e\amd64\msxpsinc.gpd

---- Directory of c:\documents and settings\vickie\Application Data\kinocbnj ----

2009-07-06 20:09 . 2009-07-06 20:09 524 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\prefs.js

2009-07-06 17:47 . 2009-07-06 20:11 0 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\places.sqlite-journal

2009-07-02 16:58 . 2009-07-02 16:58 569 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\localstore.rdf

2009-07-02 16:58 . 2009-07-06 20:09 8894 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\pluginreg.dat

2009-07-02 16:58 . 2009-07-06 20:12 2048 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\webappsstore.sqlite

2009-07-02 16:58 . 2009-07-02 16:58 4096 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\formhistory.sqlite

2009-07-02 16:58 . 2009-07-06 15:40 131072 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\places.sqlite

2009-07-02 16:58 . 2009-07-06 17:17 16384 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\key3.db

2009-07-02 16:58 . 2009-07-06 17:17 65536 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\cert8.db

2009-07-02 16:58 . 2009-07-02 16:58 16384 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\secmod.db

2009-07-02 16:58 . 2009-07-06 20:12 2048 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\cookies.sqlite

2009-07-02 16:58 . 2009-07-02 16:58 2048 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\permissions.sqlite

2009-07-02 16:58 . 2009-07-06 20:09 127885 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\compreg.dat

2009-07-02 16:58 . 2009-07-06 20:09 96173 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\xpti.dat

2009-07-02 16:58 . 2009-07-02 16:58 111 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\profiles.ini

2009-07-02 16:58 . 2009-07-06 20:09 207 ----a-w- c:\documents and settings\vickie\Application Data\kinocbnj\Profiles\l2gl7dk9.default\compatibility.ini

---- Directory of c:\documents and settings\vickie\Local Settings\Application Data\kinocbnj ----

2009-07-02 16:58 . 2009-07-02 16:59 32768 ----a-w- c:\documents and settings\vickie\Local Settings\Application Data\kinocbnj\Profiles\l2gl7dk9.default\urlclassifier3.sqlite

2009-07-02 16:58 . 2009-07-06 20:09 438116 ----a-w- c:\documents and settings\vickie\Local Settings\Application Data\kinocbnj\Profiles\l2gl7dk9.default\XPC.mfl

((((((((((((((((((((((((((((( SnapShot@2009-07-27_22.42.29 )))))))))))))))))))))))))))))))))))))))))

.

- 2004-08-09 20:44 . 2009-07-27 22:40 71060 c:\windows\system32\perfc009.dat

+ 2004-08-09 20:44 . 2009-07-28 20:52 71060 c:\windows\system32\perfc009.dat

+ 2004-08-09 20:44 . 2009-07-28 20:52 441124 c:\windows\system32\perfh009.dat

- 2004-08-09 20:44 . 2009-07-27 22:40 441124 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"MAKTray"="MAKTray.exe" - c:\windows\MAKTray.exe [2004-08-28 287232]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SBBD.exe \Device\HarddiskVolume1\WINDOWS\system32\SBFC.dat -d \Device\HarddiskVolume1\WINDOWS\system32\SBSP.dat

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pocket Tanks\\pockettanks.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-07-28 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-23 17:30]

2009-07-24 c:\windows\Tasks\Norton Security Scan.job

- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 21:49]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Connection Wizard,ShellNext = iexplore

IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe

.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-28 16:52

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1376)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wscntfy.exe

c:\windows\MAKHkey.exe

.

**************************************************************************

.

Completion time: 2009-07-28 16:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-28 20:54

ComboFix2.txt 2009-07-27 22:44

Pre-Run: 132,078,067,712 bytes free

Post-Run: 132,046,508,032 bytes free

234 --- E O F --- 2009-07-27 23:29

Kapersky

KASPERSKY ONLINE SCANNER 7.0 REPORT

Tuesday, July 28, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Tuesday, July 28, 2009 23:41:46

Records in database: 2558660

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

Scan area My Computer

A:\

C:\

D:\

Scan statistics

Files scanned 52292

Threat name 5

Infected objects 13

Suspicious objects 0

Duration of the scan 01:03:19

File name Threat name Threats count

C:\Documents and Settings\Administrator\Incomplete\Preview-T-4076126-Top of Charts - 2005.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

C:\Documents and Settings\Administrator\Incomplete\Preview-T-4183160-03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

C:\Documents and Settings\Administrator\Shared\01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

C:\Documents and Settings\Administrator\Shared\03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

C:\Documents and Settings\Administrator\Shared\05 Track 5.wma Infected: Trojan-Downloader.WMA.Wimad.o 1

C:\Documents and Settings\Administrator\Shared\Top of Charts - 2003.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

C:\Documents and Settings\Administrator\Shared\Top of Charts - 2005.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

C:\Documents and Settings\Administrator\Shared\Wicked Remix.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

C:\Documents and Settings\vickie\Desktop\backups\backup-20090724-195227-458.dll Infected: Trojan-Clicker.Win32.Delf.cbe 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_olliwava_.sys.zip Infected: Trojan.Win32.BHO.ext 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXckjpuyfvvffxldwkxejyrpskekbgyijf.dll.vir Infected: Packed.Win32.Tdss.w 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXxjcyuocbdawooybasboalsqkynektqvq.dll.vir Infected: Packed.Win32.Tdss.w 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\_hqsfwlwj_.dll.zip Infected: Trojan-Clicker.Win32.Delf.cbe 1

The selected area was scanned.

Link to post
Share on other sites

Hi

Looking good. Just a little more to do & we're done. Looks as though you have a bakcup folder on your desktop. Is that correct? Kaspersky has flagged a file in one of the backups:

C:\Documents and Settings\vickie\Desktop\backups\backup-20090724-195227-458.dll Infected: Trojan-Clicker.Win32.Delf.cbe 1

Probably best to get rid of it.

OTM

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

Note: Do not type it out to minimize the risk of typo error

:FilesC:\Documents and Settings\Administrator\Incomplete\Preview-T-4076126-Top of Charts - 2005.wmaC:\Documents and Settings\Administrator\Incomplete\Preview-T-4183160-03 Track 3.wmaC:\Documents and Settings\Administrator\Shared\01 Track 1.wmaC:\Documents and Settings\Administrator\Shared\03 Track 3.wmaC:\Documents and Settings\Administrator\Shared\05 Track 5.wmaC:\Documents and Settings\Administrator\Shared\Top of Charts - 2003.wmaC:\Documents and Settings\Administrator\Shared\Top of Charts - 2005.wmaC:\Documents and Settings\Administrator\Shared\Wicked Remix.wmaC:\Documents and Settings\vickie\Desktop\backups\backup-20090724-195227-458.dll:Commands[Purity][EmptyTemp][Reboot]
  • Click on MoveIt!
  • When done, click on Exit

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

To post in next reply:

OTM log

New HijackThis log

Update on how the computer is running / problems

Link to post
Share on other sites

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:30:03 AM, on 7/29/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\MAKTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\MAKHKEY.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [igfxTray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [MAKTray] "MAKTray.exe"

O4 - HKLM\..\Run: [setRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/cssrelease/bin/wizard.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195766371890

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 6557 bytes

OTM Log

All processes killed

========== FILES ==========

C:\Documents and Settings\Administrator\Incomplete\Preview-T-4076126-Top of Charts - 2005.wma moved successfully.

C:\Documents and Settings\Administrator\Incomplete\Preview-T-4183160-03 Track 3.wma moved successfully.

C:\Documents and Settings\Administrator\Shared\01 Track 1.wma moved successfully.

C:\Documents and Settings\Administrator\Shared\03 Track 3.wma moved successfully.

C:\Documents and Settings\Administrator\Shared\05 Track 5.wma moved successfully.

C:\Documents and Settings\Administrator\Shared\Top of Charts - 2003.wma moved successfully.

C:\Documents and Settings\Administrator\Shared\Top of Charts - 2005.wma moved successfully.

C:\Documents and Settings\Administrator\Shared\Wicked Remix.wma moved successfully.

File/Folder C:\Documents and Settings\vickie\Desktop\backups\backup-20090724-195227-458.dll not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 10371 bytes

User: All Users

User: Brisco

User: Brisco.HP19373557314

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

->Java cache emptied: 0 bytes

->Apple Safari cache emptied: 76568039 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: JBrisco

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 82054 bytes

User: vickie

->Temp folder emptied: 75016678 bytes

->Temporary Internet Files folder emptied: 4303718 bytes

->Java cache emptied: 128020 bytes

->Apple Safari cache emptied: 36286867 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 3075601 bytes

Windows Temp folder emptied: 515482 bytes

RecycleBin emptied: 557704 bytes

Total Files Cleaned = 187.69 mb

OTM by OldTimer - Version 3.0.0.5 log created on 07292009_060951

Files moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Hi

Looks good.

Fix HiJackThis Entries

  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <<<----- Fix this only if you did not set it yourself

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.1

You can download it from http://www.adobe.com/products/acrobat/readstep2.html

If you already have Adobe Photoshop

Link to post
Share on other sites

I had to get back to you to say thank you for all of your help! Everything now loads and updates correctly including Windows and McAfee- There is NO way I could have done this without your hours of assistance! Thank you again!!!!!!!!!!!!! <_<

Link to post
Share on other sites

Hi

No problem at all... Glad I could help <_<

Just a little cleaning up to do then your good to go.

Clean Up

Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

Remove ComboFix

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run then copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

  • Double-click OTM
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it yourself

You can delete the following from your desktop:

DDS.scr

The Gmer.exe file (it will be randomly named .exe file)

Any logs that may have been saved to your desktop

You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis

  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt

All Clean

Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.

Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

SpywareBlaster

Download and install Javacools SpywareBlaster from here

SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File

A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):

  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Web of Trust

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and Internet Explorer.

Install WinPatrol

Download it here

You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.