Jump to content

Recommended Posts

Hello, I hope this info helps.

On 2-2-10 my computer running XP Home edition, IE7, sp2, got infected with something that redirects all browsers on the profile I was using.

That profile did not have admin privileges.

This system has been used by friends and family for years with out any virus protection.

Several of the profiles had 100's of virus's, trojans, and everything else.

I have run Malaware and Hitman Pro which cleaned everything it detected in each profile.

But I still had the google redirect on the profile that I was using when it got infected.

I then installed IE8 which did not help.

I'm new to the forum so it took awhile to find the "I'm infected-What do I do now"

I went thru the steps described and have included logs requested.

Hoping you can help please.

Malwarebytes' Anti-Malware 1.44

Database version: 3686

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

2/8/2010 6:00:15 PM

mbam-log-2010-02-08 (18-00-15).txt

Scan type: Quick Scan

Objects scanned: 182106

Time elapsed: 27 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Avira AntiVir Personal

Report file date: Thursday, February 11, 2010 17:31

Scanning for 1748777 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : rock star!!!!!!!!!!!

Computer name : YOUR-03667082DE

Version information:

BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 17:26:33

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:35:52

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:20:50

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:22:02

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 23:22:30

VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 23:22:31

VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 23:22:37

VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 23:22:37

VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 23:22:38

VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 23:22:38

VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 23:22:39

VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 23:22:40

VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 23:22:40

VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 23:22:41

VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 23:22:41

VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 23:22:47

VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 23:22:49

VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 23:22:52

VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 23:22:57

VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 23:22:58

VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 23:23:00

VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 23:23:03

VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 23:23:05

VBASE022.VDF : 7.10.4.31 2048 Bytes 2/11/2010 23:23:05

VBASE023.VDF : 7.10.4.32 2048 Bytes 2/11/2010 23:23:06

VBASE024.VDF : 7.10.4.33 2048 Bytes 2/11/2010 23:23:06

VBASE025.VDF : 7.10.4.34 2048 Bytes 2/11/2010 23:23:07

VBASE026.VDF : 7.10.4.35 2048 Bytes 2/11/2010 23:23:07

VBASE027.VDF : 7.10.4.36 2048 Bytes 2/11/2010 23:23:08

VBASE028.VDF : 7.10.4.37 2048 Bytes 2/11/2010 23:23:08

VBASE029.VDF : 7.10.4.38 2048 Bytes 2/11/2010 23:23:09

VBASE030.VDF : 7.10.4.39 2048 Bytes 2/11/2010 23:23:09

VBASE031.VDF : 7.10.4.41 26624 Bytes 2/11/2010 23:23:10

Engineversion : 8.2.1.160

AEVDF.DLL : 8.1.1.3 106868 Bytes 2/11/2010 23:24:06

AESCRIPT.DLL : 8.1.3.13 823674 Bytes 2/11/2010 23:24:04

AESCN.DLL : 8.1.4.0 127348 Bytes 2/11/2010 23:23:54

AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 13:38:44

AERDL.DLL : 8.1.3.4 479605 Bytes 2/11/2010 23:23:52

AEPACK.DLL : 8.2.0.5 422262 Bytes 2/11/2010 23:23:42

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 13:38:38

AEHEUR.DLL : 8.1.1.5 2326901 Bytes 2/11/2010 23:23:37

AEHELP.DLL : 8.1.10.0 237942 Bytes 2/11/2010 23:23:19

AEGEN.DLL : 8.1.1.86 369012 Bytes 2/11/2010 23:23:17

AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 13:38:26

AECORE.DLL : 8.1.11.1 184694 Bytes 2/11/2010 23:23:13

AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 13:38:20

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 21:14:02

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 18:25:47

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Thursday, February 11, 2010 17:31

Starting search for hidden objects.

'65085' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'notepad.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'hptskmgr.exe' - '1' Module(s) have been scanned

Scan process 'Photags AutoDetect.exe' - '1' Module(s) have been scanned

Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned

Scan process 'WinCinemaMgr.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'QTTask.exe' - '1' Module(s) have been scanned

Scan process 'lxbtbmon.exe' - '1' Module(s) have been scanned

Scan process 'lxbtbmgr.exe' - '1' Module(s) have been scanned

Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned

Scan process 'hpztsb10.exe' - '1' Module(s) have been scanned

Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned

Scan process 'kbd.exe' - '1' Module(s) have been scanned

Scan process 'hphmon06.exe' - '1' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

45 processes with 45 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '83' files ).

Starting the file scan:

Begin scan in 'C:\' <+>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\All Users\Application Data\WildTangent\Game Console - WildGames\Downloads\en-us\Installers\gemshop-setup.exe

[0] Archive type: NSIS

--> [ProgramFilesDir]/WildGames/Gem Shop/FullSetupGamesClient-wildgames.exe

[1] Archive type: NSIS

--> ProgramFilesDir/LogoAnimation.swf

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\Documents and Settings\All Users\Application Data\WildTangent\Game Console - WildGames\Downloads\en-us\Installers\SetupGamesClient.exe_cache

[0] Archive type: NSIS

--> ProgramFilesDir/GameConsole-wt.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\Documents and Settings\HP_Owner\loaded.exe

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\3.1.55.0-EasyShrx.Dll

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\AutoRun.exe

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\AutoRunGUI.dll

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\exec.exe

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\IadHide5.dll

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\io.dll

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\msnsearch.exe

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\NullsoftHelper.dll

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\PleaseWait.exe

[WARNING] The file could not be opened!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\UDC6_0001_D19M2808\installer.exe

[DETECTION] Contains recognition pattern of the ADSPY/Drop.Dct.21.C adware or spyware

C:\Documents and Settings\HP_Owner\Local Settings\Temp\USDR6_0001_D08M0404\installer.exe

[DETECTION] Contains recognition pattern of the ADSPY/WinFixer.C adware or spyware

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\61KRYN0P\tp[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\Documents and Settings\MOMMIE\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-486c9904-22c143f2.class

[DETECTION] Contains recognition pattern of the JAVA/OpenStream.BH Java virus

C:\Documents and Settings\Shawn the COWBOY!!!!\Local Settings\TempIadHide3.dll

[WARNING] The file could not be opened!

C:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

C:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

C:\Program Files\Common Files\Companion Wizard\compwiz.exe

[0] Archive type: RSRC

--> Object

[DETECTION] Contains recognition pattern of the ADSPY/Companion.A.1 adware or spyware

C:\Program Files\Common Files\Companion Wizard\WapCHK.dll

[DETECTION] Contains recognition pattern of the ADSPY/Companion.A.1 adware or spyware

C:\Program Files\Cosmi\Games 4 Kids\KILLBEES\KILLBEES.EXE

[DETECTION] Contains recognition pattern of the JOKE/KillerBee joke

C:\Program Files\Cosmi\Games 4 Kids\METEOR\METEOR.EXE

[DETECTION] Contains recognition pattern of the JOKE/KillerBee joke

C:\Program Files\Cosmi\Games 4 Kids\SPACEGRD\SPACEGRD.EXE

[DETECTION] Contains recognition pattern of the JOKE/KillerBee joke

C:\Program Files\Magic Ball 2\Magic Ball 2.exe

[DETECTION] This file has been compressed using unusual runtime compression (PCK/Armadillo). Please verify the origin of this file.

C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe

[DETECTION] Is the TR/PSW.Stealer.724081 Trojan

C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe

[DETECTION] Contains recognition pattern of the DIAL/90112 dialer

C:\WINDOWS\Downloaded Program Files\gdnUS250.exe

[DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS250.exe

[DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS250.exe

[DETECTION] Is the TR/Small.Crypted.Gen Trojan

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS250.exe

[DETECTION] Is the TR/Small.Crypted.Gen Trojan

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS250.exe

[DETECTION] Is the TR/Small.Crypted.Gen Trojan

C:\WINDOWS\system32\cfgbkendy.dll

[WARNING] The file could not be opened!

Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:

C:\Documents and Settings\HP_Owner\Local Settings\Temp\UDC6_0001_D19M2808\installer.exe

[DETECTION] Contains recognition pattern of the ADSPY/Drop.Dct.21.C adware or spyware

[NOTE] The file was moved to '4be7a6a8.qua'!

C:\Documents and Settings\HP_Owner\Local Settings\Temp\USDR6_0001_D08M0404\installer.exe

[DETECTION] Contains recognition pattern of the ADSPY/WinFixer.C adware or spyware

[NOTE] The file was moved to '4a926051.qua'!

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\61KRYN0P\tp[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '4bcfa6aa.qua'!

C:\Documents and Settings\MOMMIE\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-486c9904-22c143f2.class

[DETECTION] Contains recognition pattern of the JAVA/OpenStream.BH Java virus

[NOTE] The file was moved to '4bdaa6a7.qua'!

C:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

[NOTE] The file was moved to '4be0a6a3.qua'!

C:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

[NOTE] The file was moved to '4be0a6a4.qua'!

C:\Program Files\Common Files\Companion Wizard\compwiz.exe

[NOTE] The file was moved to '4be1a6aa.qua'!

C:\Program Files\Common Files\Companion Wizard\WapCHK.dll

[DETECTION] Contains recognition pattern of the ADSPY/Companion.A.1 adware or spyware

[NOTE] ADSPY/Companion.A.1:[HKEY_CLASSES_ROOT\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F}\InprocServer32]:<@>=sz:WapCHK.dll

[NOTE] ADSPY/Companion.A.1:[HKEY_CLASSES_ROOT\TypeLib\{1234890A-5E6E-4867-8136-CA6F1456B235}\1.0\0\win32]:<@>=sz:WapCHK.dll

[NOTE] The file was moved to '4be4a69c.qua'!

C:\Program Files\Cosmi\Games 4 Kids\KILLBEES\KILLBEES.EXE

[DETECTION] Contains recognition pattern of the JOKE/KillerBee joke

[NOTE] The file was moved to '4bc0a684.qua'!

C:\Program Files\Cosmi\Games 4 Kids\METEOR\METEOR.EXE

[DETECTION] Contains recognition pattern of the JOKE/KillerBee joke

[NOTE] The file was moved to '4bc8a680.qua'!

C:\Program Files\Cosmi\Games 4 Kids\SPACEGRD\SPACEGRD.EXE

[DETECTION] Contains recognition pattern of the JOKE/KillerBee joke

[NOTE] The file was moved to '4bb5a68b.qua'!

C:\Program Files\Magic Ball 2\Magic Ball 2.exe

[DETECTION] This file has been compressed using unusual runtime compression (PCK/Armadillo). Please verify the origin of this file.

[NOTE] The file was moved to '4bdba69d.qua'!

C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe

[DETECTION] Is the TR/PSW.Stealer.724081 Trojan

[NOTE] The file was moved to '4be7a68f.qua'!

C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe

[DETECTION] Contains recognition pattern of the DIAL/90112 dialer

[NOTE] The file was moved to '4be0a6b1.qua'!

C:\WINDOWS\Downloaded Program Files\gdnUS250.exe

[DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan

[NOTE] The file was moved to '4be2a6a1.qua'!

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS250.exe

[DETECTION] Is the TR/Dldr.Small.ayl.0 Trojan

[NOTE] The file was moved to '4a9dc9a2.qua'!

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS250.exe

[DETECTION] Is the TR/Small.Crypted.Gen Trojan

[NOTE] The file was moved to '4cb8c9d2.qua'!

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS250.exe

[DETECTION] Is the TR/Small.Crypted.Gen Trojan

[NOTE] The file was moved to '4cbc2832.qua'!

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS250.exe

[DETECTION] Is the TR/Small.Crypted.Gen Trojan

[NOTE] The file was moved to '4cbd30fa.qua'!

End of the scan: Thursday, February 11, 2010 18:52

Used time: 1:18:48 Hour(s)

The scan has been done completely.

14168 Scanned directories

840253 Files were scanned

19 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

19 Files were moved to quarantine

0 Files were renamed

14 Files cannot be scanned

840220 Files not concerned

15669 Archives were scanned

18 Warnings

21 Notes

65085 Objects were scanned with rootkit scan

0 Hidden objects were found

defogger_disable by jpshortstuff (29.01.10.1)

Log created at 19:15 on 11/02/2010 (rock star!!!!!!!!!!!)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS (Ver_09-12-01.01) - NTFSx86

Run by rock star!!!!!!!!!!! at 19:28:03.57 on Thu 02/11/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.69 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hphmon06.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe

C:\Program Files\Lexmark 5200 series\lxbtbmon.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\PhoTags Express\Photags AutoDetect.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\rock star!!!!!!!!!!!\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://eqash.net/fr/?id=us27

mSearchAssistant = hxxp://www.google.com/ie

BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn\ycomp5_5_7_0.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll

TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\ycomp5_5_7_0.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [sunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe

mRun: [HPHmon06] c:\windows\system32\hphmon06.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [VTTimer] VTTimer.exe

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [DSS] c:\windows\bbstore\dss\DSSAGENT.EXE

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe

mRun: [rock] rock.exe

mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"

mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [ultimate Defender] "c:\program files\ultimate defender\App.exe" hide

mRun: [sDR6_Check] "c:\program files\common files\drivecleaner 2006 free\udcsdr.exe"

mRun: [PAS_Check] "c:\program files\common files\drivecleaner 2006 free\udcpas.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photag~1.lnk - c:\program files\photags express\Photags AutoDetect.exe

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?09a25232a3cc4dd0ab1d833e4971d942

IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?09a25232a3cc4dd0ab1d833e4971d942

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265159937671

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab

DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab47946.cab

DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.34/ttinst.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-11 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-11 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-11 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-11 55656]

R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2006-6-4 45568]

R3 PxHelper;PxHelper;c:\windows\system32\drivers\PxHelper.sys [2006-4-28 15776]

S1 vspf;vspf;\??\c:\windows\system32\drivers\vspf5.sys --> c:\windows\system32\drivers\vspf5.sys [?]

S1 vspf_hk;vspf_hk;\??\c:\windows\system32\drivers\vspf_hk5.sys --> c:\windows\system32\drivers\vspf_hk5.sys [?]

=============== Created Last 30 ================

2010-02-12 01:15:11 0 ----a-w- c:\documents and settings\rock star!!!!!!!!!!!\defogger_reenable

2010-02-11 23:14:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-11 23:14:39 0 d-----w- c:\program files\Avira

2010-02-11 23:14:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-02-11 13:11:29 0 d-sh--w- c:\documents and settings\rock star!!!!!!!!!!!\PrivacIE

2010-02-11 13:10:55 0 d-sh--w- c:\documents and settings\rock star!!!!!!!!!!!\IETldCache

2010-02-10 21:28:05 0 dc-h--w- c:\windows\ie8

2010-02-09 15:52:42 0 d-----w- c:\windows\system32\NtmsData

2010-02-08 02:38:22 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-02-07 17:37:16 0 d-----w- c:\docume~1\rockst~1\applic~1\Malwarebytes

2010-02-03 22:33:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-03 22:33:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-03 22:33:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-02 21:21:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-02 20:32:39 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-02-02 20:32:24 0 d-----w- c:\program files\Hitman Pro 3.5

2010-02-02 20:32:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-02-02 17:53:47 917504 ----a-w- c:\windows\system32\FLASH.OCX

2010-02-02 15:50:28 119296 --sha-r- c:\windows\system32\cfgbkendy.dll

2010-02-01 02:26:16 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-02-01 02:26:16 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-01-21 23:28:08 0 d-----w- c:\program files\iPod

2010-01-21 23:27:44 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-12-18 16:34:39 0 ----a-w- c:\docume~1\rockst~1\applic~1\wklnhst.dat

============= FINISH: 19:28:32.42 ===============

Attach.zip

Link to post
Share on other sites

Given the lax security on this system and the cheer number of malwares, there's no way this present system can be considered safe. Given this system was without antivirus protection for a very-very-long time, and given the 100's of malwares found, the only safe and sane thing to do is a clean (new) Windows Install:

Before you do that, make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP & AumHa VSOP

Also Clean Install Windows by Michael Stevens, MS-MVP

I would urge you to follow the directions very carefully.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

See Malware Removal: When to Flatten and Reinstall

I'm closing this thread.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.