Jump to content

recently infected comp


Recommended Posts

Hello, my comp has recently been infected and I've tried several different ways to get rid of it. I have the MBAM log, the panda active scan log, and the Hijack This log. Hope someone can help me.

Malwarebytes' Anti-Malware 1.17

Database version: 864

7:00:23 PM 6/17/2008

mbam-log-6-17-2008 (19-00-23).txt

Scan type: Quick Scan

Objects scanned: 56548

Time elapsed: 11 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-06-17 23:08:50

PROTECTIONS: 1

MALWARE: 27

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

AVG Anti-Virus Free 8.0 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@trafficmp[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.atdmt.com/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\libill\Application Data\Mozilla\Firefox\Profiles\3kseioz7.default\cookies.txt[.atdmt.com/]

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@247realmedia[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.tribalfusion.com/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[.tribalfusion.com/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.tribalfusion.com/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.tribalfusion.com/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.tribalfusion.com/]

00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@ccbill[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\libill\Application Data\Mozilla\Firefox\Profiles\3kseioz7.default\cookies.txt[.com.com/]

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.com.com/]

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[.com.com/]

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@xiti[1].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@azjmp[2].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[.azjmp.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@ad.yieldmanager[2].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[www.burstbeacon.com/]

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qxpi9uhx.default\cookies.txt[server.iad.liveperson.net/]

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[server.iad.liveperson.net/hc/19452074]

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[server.iad.liveperson.net/]

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qxpi9uhx.default\cookies.txt[server.iad.liveperson.net/hc/61298727]

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qxpi9uhx.default\cookies.txt[server.iad.liveperson.net/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@advertising[3].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@advertising[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@ads.pointroll[2].txt

00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@hc2.humanclick[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@realmedia[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@questionmarket[3].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@questionmarket[1].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@bravenet[1].txt

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@adultfriendfinder[1].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[.did-it.com/]

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[.did-it.com/]

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.did-it.com/]

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.did-it.com/]

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo_2\Application Data\Mozilla\Firefox\Profiles\9gv09upo.default\cookies.txt[.did-it.com/]

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[.did-it.com/]

00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_network_monitor

00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Application Data\Mozilla\Firefox\Profiles\kcgw6zzy.default\cookies.txt[.atwola.com/]

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Local Settings\Temp\Cookies\ryo@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@atwola[2].txt

00296582 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@www.drivecleaner[2].txt

00296582 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Local Settings\Temp\Cookies\ryo@www.drivecleaner[2].txt

00296583 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Local Settings\Temp\Cookies\ryo@stats.drivecleaner[2].txt

00296584 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@drivecleaner[2].txt

00296584 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Local Settings\Temp\Cookies\ryo@drivecleaner[2].txt

00303898 Dialer.HQY Dialers No 0 Yes No C:\i386\ntagent.web

00303898 Dialer.HQY Dialers No 0 Yes No C:\i386\Rpcnet.dll

00303898 Dialer.HQY Dialers No 0 Yes No C:\i386\Rpcnet.exe

00303898 Dialer.HQY Dialers No 0 Yes No C:\WINDOWS\system32\ntagent.web

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Ryo\Cookies\ryo@adserver.easyad[1].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location C

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description C

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:05:07 PM, on 6/17/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Documents and Settings\Ryo_2\My Documents\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\conime.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\AIM6\aim6.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\SYSTEM32\Rpcnet.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {19F5B2A7-7760-461A-BBCF-4C6C8577E330} - C:\WINDOWS\system32\ddcBTMgd.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Ryo_2\MYDOCU~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: {c08d7fb9-ce87-e1e9-e7e4-a3a60696485c} - {c5846960-6a3a-4e7e-9e1e-78ec9bf7d80c} - C:\WINDOWS\system32\kovuxptx.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Movies Extractor Scout - {C1ADE8AE-BD07-40DD-82EA-BD01406CA617} - C:\Program Files\Movies Extractor Scout\flashextract.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Ryo_2\MYDOCU~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Ryo_2\MYDOCU~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O15 - Trusted Zone: *.imagesrvr.com (HKLM)

O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170267702531

O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - http://www.lojackforlaptops.com/ctmweb/testoc.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab55708.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Documents and Settings\Ryo_2\My Documents\aawservice.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: DataSvr2 - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 11572 bytes

Link to post
Share on other sites

Make sure you can http://*.update.microsoft.com

The service below aawservice is legitimate but should not be running from the "My Documents' folder. You may have to reinstall the application if you still use it:

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Documents and Settings\Ryo_2\My Documents\aawservice.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Now please close all open windows except for the hijackthis application's window (that includes this browser window), then click the Fix Checked button.

Reboot the computer into Safe mode. Once in safe mode and logged on as "Administrator" please continue with the instructions below:

Locate and delete the following files/folders indicated in Bold text:

C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll

C:\WINDOWS\system32\kovuxptx.dll

C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll

C:\Documents and Settings\Ryo_2\My Documents\aawservice.exe

Reboot back to your normal windows user mode. Please perform this online scan: F-Secure Online Scanner Next Generation Beta

1. Click on the link "F-Secure Online Scanner Next Generation Beta".

2. You may receive an alert on the address bar at this point to install the ActiveX control.

3. Click on that alert and then Click Insall ActiveX component.

4. Read the license agreement and click "Accept".

5.Click "Custom Scan" and be sure the following are checked:

  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics

6. When the scan completes, click the "I want to decide item by item" button.

7. For each item found, Select "Disinfect" and click "Next".

8. When done, click the "Show Report" button, then copy and paste the entire report into your next reply along with a fresh HijackThis log. Also, please advise how your system is behaving now. Thanks

Link to post
Share on other sites

Scanning Report

Wednesday, June 18, 2008 14:13:59 - 17:16:13

Computer name: KURURU

Scanning type: Scan system for malware, rootkits

Target: C:\

Result: 2 malware found

W32/Malware (virus)

* C:\WINDOWS\system32\ctmweb.exe (Submitted)

* C:\i386\ctmweb.exe (Submitted)

Statistics

Scanned:

* Files: 460291

* System: 3898

* Not scanned: 300

Actions:

* Disinfected: 0

* Renamed: 0

* Deleted: 0

* None: 2

* Submitted: 2

Files not scanned:

* `(φIBERFIL.SYS C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\BIOS1.ROM

* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS

* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD8349.SYS

* C:\WINDOWS\SYSTEM32\DRIVERS\VAXSCSI.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG

* C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG

* C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB

* C:\WINDOWS\PCHEALTH\ERRORREP\USERDUMPS\WINLOGON.EXE.20080418-034452-00.HDMP

* C:\PROGRAM FILES\PCSX2_0.9.4\BIOS\PS2 BIOS 30004R V6 PAL.NVM

* C:\PROGRAM FILES\PCSX2_0.9.4\BIOS\SCPH10000.NVM

* C:\PROGRAM FILES\PCSX2_0.9.4\BIOS\SCPH39001.NVM

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MASTER.MDF

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MASTLOG.LDF

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MODEL.MDF

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MODELLOG.LDF

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MSDBDATA.MDF

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MSDBLOG.LDF

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\TEMPDB.MDF

* C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\TEMPLOG.LDF

* C:\I386\BIOS1.ROM

* C:\DOCUMENTS AND SETTINGS\RYO_2\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9GV09UPO.DEFAULT\CACHE\_CACHE_001_

* C:\DOCUMENTS AND SETTINGS\RYO_2\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9GV09UPO.DEFAULT\CACHE\_CACHE_002_

* C:\DOCUMENTS AND SETTINGS\RYO_2\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9GV09UPO.DEFAULT\CACHE\_CACHE_003_

* C:\DOCUMENTS AND SETTINGS\RYO\NTUSER.DAT

* C:\DOCUMENTS AND SETTINGS\RYO\NTUSER.DAT.LOG

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161873976177.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161874676363.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875105532.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875136968.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875168439.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875199893.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875231494.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875263107.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875295900.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875327660.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875359018.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875390669.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875422164.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_Polyna.zip\1161875453572.jpg

* C:\Documents and Settings\Ryo\My Documents\My Games\Oblivion\Osaka\Polina_-_P:\Z

Options

Scanning engines:

* F-Secure USS: 2.30.0

* F-Secure Hydra: 2.8.8110, 2008-06-18

* F-Secure AVP: 7.0.171, 2008-06-18

* F-Secure Pegasus: 1.20.0, 2008-04-14

* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan all files

* Scan inside archives

* Use Advanced heuristics

Copyright

Link to post
Share on other sites

Delete the .reg file on your Desktop. You should return to the instructions regarding "showing hidden files" and reverse them to re-hide those files.

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:

Kerio Personal Firewall

Zone Alarm

Outpost Free

Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?

Regards, and Happy Surfing!

Link to post
Share on other sites

  • 2 weeks later...

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.