Jump to content

Help: joke-bluescreen.c

heri623

By heri623
in Resolved Malware Removal Logs

 Share

Recommended Posts

heri623

heri623

Posted
Posted

I'm not sure if this is where i should be posting this but here is the malwarebytes log, I am in the process of doing a panda scan and i will post that as soon as it is done a well as the hijackthis log

Malwarebytes' Anti-Malware 1.24

Database version: 1038

Windows 5.1.2600 Service Pack 2

7:24:15 PM 8/10/2008

mbam-log-8-10-2008 (19-24-15).txt

Scan type: Quick Scan

Objects scanned: 46263

Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 5

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcg7fj0e17v (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\lphcg7fj0e17v.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\phcg7fj0e17v.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites
heri623

heri623

Posted
  • Author
Posted

Here is the Panda Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-08-10 20:55:39

PROTECTIONS: 3

MALWARE: 17

SUSPECTS: 3

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.3807.0 No Yes

McAfee Internet Security Suite 2007 8.1 No No

McAfee VirusScan Plus 12.1 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon

00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader.1

00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt

00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@com[1].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@toplist[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@serving-sys[3].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt

00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@www5.addfreestats[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt

00416446 Generic Application HackTools No 0 Yes No C:\Program Files\BearShare\Installer\BSInstall5.2.5.1(1).exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location V

;===============================================================================

================================================================================

=

===================

No C:\QooBox\Quarantine\C\WINDOWS\system32\lphcg7fj0e17v.exe.vir V

No C:\RECYCLER\S-1-5-21-515967899-1935655697-725345543-1003\Dc8.exe V

No C:\WINDOWS\system32\hwxudoxe.exe V

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description V

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites
heri623

heri623

Posted
  • Author
Posted

and finally here is the hiJack file

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:56:36 PM, on 8/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Documents and Settings\All Users\Application Data\onefopun\wtqzgfkh.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Common Files\AOL\1136153273\ee\AOLSoftware.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\ATI Multimedia\main\ATISched.EXE

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe

C:\WINDOWS\system32\khynidaj.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\palorila.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136153273\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [lphcg7fj0e17v] C:\WINDOWS\system32\lphcg7fj0e17v.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe

O4 - HKCU\..\Run: [winadmmsg] C:\WINDOWS\system32\khynidaj.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [utilenstr] C:\WINDOWS\system32\tkzcjoro.exe

O4 - HKCU\..\Run: [webensrv] C:\WINDOWS\system32\kfutsxgr.exe

O4 - HKCU\..\Run: [setCfg] C:\WINDOWS\system32\ididolar.exe

O4 - HKCU\..\Run: [ChkMonCmd] C:\WINDOWS\system32\formvspo.exe

O4 - HKCU\..\Run: [CfgProcApl] C:\WINDOWS\system32\pazwzoxa.exe

O4 - HKCU\..\Run: [hlpproc] C:\WINDOWS\system32\oluxkdcv.exe

O4 - HKCU\..\Run: [winsmartdsc] C:\WINDOWS\system32\ihytgjqv.exe

O4 - HKCU\..\Run: [utilSet] C:\WINDOWS\system32\rabyxufs.exe

O4 - HKLM\..\Policies\Explorer\Run: [HzW7Ju4jVl] C:\Documents and Settings\All Users\Application Data\onefopun\wtqzgfkh.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplay...cab/awswaxf.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135141670968

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O21 - SSODL: uicomen - {0D3FEAC3-CD96-F7CD-7835-01865F6101D6} - C:\Program Files\yqwhhpc\uicomen.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--

End of file - 15418 bytes

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

OK, sorry for the delay in reply, I took a day off and then had work. Be sure you have enabled the view hidden files option.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Now please find these files and Please upload the files to and post the results in your next reply. We will make sure it is malware this way.

C:\Documents and Settings\All Users\Application Data\onefopun\wtqzgfkh.exe <==== Any idea what this is? It gets 0 hits on Google, that is very rare.

C:\Program Files\yqwhhpc\uicomen.dll <========== And this.

C:\WINDOWS\system32\khynidaj.exe

C:\WINDOWS\system32\palorila.exe

C:\WINDOWS\system32\tkzcjoro.exe

C:\WINDOWS\system32\kfutsxgr.exe

C:\WINDOWS\system32\ididolar.exe

C:\WINDOWS\system32\formvspo.exe

C:\WINDOWS\system32\pazwzoxa.exe

C:\WINDOWS\system32\oluxkdcv.exe

C:\WINDOWS\system32\ihytgjqv.exe

C:\WINDOWS\system32\rabyxufs.exe

Please upload these files to here . This will ensure they get tested and if malware get added to the data base for future removals.

Uninstall the DAP download accelerator it's adware and there are others that are not.

Now run HJT again in scan only and put a check next to the following and then click fix.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm <======= You have two instances in your log mark both.

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Reboot

Update your Adobe reader it's a known unsafe version.

It's crucial you get those files listed scanned and uploaded to determine for sure they are malware. I'm fairly certain they are.

Update MBAM and run a quick scan. Post that log and a new HJT log.

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.\n\n

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.