Jump to content

Worried that I may be infected


LL_4

Recommended Posts

Hi, over the weekend, I noticed our non admin account was running slow, as well as the start up was taking forever, and My Documents folder opens up with start up, 2 of them actually. I ran some scans, MBAM at first found nothing, but then on Monday it found 5 things. After removing them, it hasn't found anything sinse, but I'm still getting the My Documents folders opening at start up.

I was going to post this problem in the PC Help center, but yesterday, my husband was doing some banking and one of the sites told him that it didn't recognise our cp, that we were signing in from a different cp, and he had to do some security questions. Which made us nervous, and wondering if we have a virus or haker.

This only in one account, that I'm having this problem, my admin account seems to be fine, So I'm just wondering if I have a virus, or if I just have a cp issue, and should post my questions there. Thanks for you help. :)

My Hijack this log is below:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:23:34 AM, on 9/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/bmx-freestyle/en/"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab

O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab

O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - http://cnn-5.vo.llnwd.net/c1/static/cab_he...pWebUpdater.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--

End of file - 7610 bytes

Link to post
Share on other sites

Hi Mr. C! thanks for the welcome, you guys have helped me out before, so it's my go to place if I have a problem, which I haven't till now, I'm very glad you're here. It's been a crazy day here, so I was just now able to finish the scans and get them to you.

Here is the DeFogger_Disable log: I never saw an error message, but I just realized it never prompted me to reboot the system after running it. I'm not sure if I needed to do that before doing everything else? I was also wondering if I did them right, I ran evertying in my admin account, that's what I usually do when I'm updating anything or scanning, but I wasn't sure if I needed to be in the account where I was having the problems?

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 14:38 on 01/09/2010 (Leisenring)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DSS log below, and I also attatched the zip files for Attach.txt and ark.txt logs.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Leisenring at 20:45:31.17 on Wed 09/01/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.32 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\dllhost.exe

C:\Documents and Settings\Leisenring\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/bmx-freestyle/en/"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.info.apple.com/qtactivex/QTPlugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab

DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1238779678143&h=6296b983ce9cf52ecc7e97c67f8599f0/&filename=jinstall-6u13-windows-i586-jc.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-21 11608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-21 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-21 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-21 60936]

S3 phc700;USB PC Camera (phc700);c:\windows\system32\drivers\phc700.sys --> c:\windows\system32\drivers\phc700.sys [?]

=============== Created Last 30 ================

2010-09-01 18:38:37 0 ----a-w- c:\documents and settings\leisenring\defogger_reenable

2010-08-03 17:19:03 56112 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-24 21:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll

2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll

2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll

2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll

2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll

2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll

2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll

2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll

2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll

2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2006-11-20 11:30:35 88 -csh--r- c:\windows\system32\0DF0F232A0.sys

2006-11-20 11:30:39 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys

2008-09-04 10:59:12 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 20:46:44.10 ===============

Thanks for your help! ;)

Lora

ark.zip

Attach.zip

Link to post
Share on other sites

Please do this:

Download ComboFix from one of these locations:

Link 1

Link 2

ComboFix Guide

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

Thanks! Here is the log from combo fix.

ComboFix 10-09-01.04 - Leisenring 09/02/2010 8:26.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.103 [GMT -4:00]

Running from: c:\documents and settings\Leisenring\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\family account\Local Settings\Application Data\{83A6E955-B9D9-4E91-B6A1-5F7C8FA5C3D4}

c:\documents and settings\family account\Local Settings\Application Data\{83A6E955-B9D9-4E91-B6A1-5F7C8FA5C3D4}\chrome.manifest

c:\documents and settings\family account\Local Settings\Application Data\{83A6E955-B9D9-4E91-B6A1-5F7C8FA5C3D4}\chrome\content\_cfg.js

c:\documents and settings\family account\Local Settings\Application Data\{83A6E955-B9D9-4E91-B6A1-5F7C8FA5C3D4}\chrome\content\overlay.xul

c:\documents and settings\family account\Local Settings\Application Data\{83A6E955-B9D9-4E91-B6A1-5F7C8FA5C3D4}\install.rdf

c:\documents and settings\family account\Local Settings\Application Data\gntitoca.dll

c:\documents and settings\family account\Local Settings\Application Data\ifewojiyer.dll

c:\windows\g32.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NDISRD

((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))

.

2010-08-03 14:58 . 2010-08-31 13:06 63488 ----a-w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-08-03 14:58 . 2010-08-03 14:58 52224 ----a-w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-08-03 14:58 . 2010-08-31 13:05 117760 ----a-w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 12:18 . 2009-02-21 17:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-01 17:10 . 2010-05-24 12:30 120 ----a-w- c:\documents and settings\family account\Local Settings\Application Data\Scetecux.dat

2010-09-01 10:53 . 2010-05-24 12:30 0 ----a-w- c:\documents and settings\family account\Local Settings\Application Data\Mfaxesod.bin

2010-09-01 02:03 . 2010-04-17 21:51 50 ----a-w- c:\documents and settings\family account\jagex__preferences3.dat

2010-09-01 02:03 . 2010-04-17 21:49 46 ----a-w- c:\documents and settings\family account\jagex_runescape_preferences.dat

2010-09-01 02:03 . 2010-04-17 21:51 99 ----a-w- c:\documents and settings\family account\jagex_runescape_preferences2.dat

2010-09-01 00:15 . 2009-03-04 12:45 3400 ----a-w- c:\documents and settings\family account\Application Data\wklnhst.dat

2010-08-29 18:11 . 2009-02-21 12:30 -------- d-----w- c:\program files\SpywareBlaster

2010-08-29 12:04 . 2009-04-03 12:46 117760 ----a-w- c:\documents and settings\family account\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-08-29 03:59 . 2010-08-29 03:59 24 ----a-w- c:\documents and settings\family account\Application Data\hngmfc.dat

2010-08-27 11:57 . 2009-02-23 13:33 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-08-07 20:00 . 2010-05-01 17:20 -------- d-----w- c:\documents and settings\family account\Application Data\gtk-2.0

2010-08-03 20:02 . 2009-08-08 16:50 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-08-03 20:01 . 2009-08-08 16:50 -------- d-----w- c:\program files\ArcSoft

2010-08-03 20:01 . 2006-10-19 08:11 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-03 19:29 . 2009-08-08 16:51 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll

2010-08-03 17:19 . 2010-08-03 17:19 56112 ---ha-w- c:\windows\system32\mlfcache.dat

2010-08-03 14:56 . 2009-02-23 13:33 -------- d-----w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com

2010-08-03 10:29 . 2010-03-28 16:29 -------- d-----w- c:\documents and settings\family account\Application Data\Apple Computer

2010-08-01 14:37 . 2010-08-01 14:37 0 ----a-w- c:\windows\nsreg.dat

2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-25 13:20 . 2010-06-25 13:20 137 ----a-w- c:\documents and settings\family account\Local Settings\Application Data\fusioncache.dat

2010-06-24 12:22 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-10 17:51 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-10 17:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-10 17:51 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll

2006-11-20 11:30 . 2006-11-20 11:28 88 -csh--r- c:\windows\system32\0DF0F232A0.sys

2006-11-20 11:30 . 2006-11-20 11:28 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-27 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

S3 phc700;USB PC Camera (phc700);c:\windows\system32\DRIVERS\phc700.sys --> c:\windows\system32\DRIVERS\phc700.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-02 08:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\l3codeca.acm

- - - - - - - > 'explorer.exe'(2404)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\sched.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-09-02 08:55:43 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-02 12:55

Pre-Run: 35,862,990,848 bytes free

Post-Run: 37,194,182,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 65A2E3A1399E9134D5A6FCC812E80707

Link to post
Share on other sites

OK, please do this:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

DDS::

uInternet Settings,ProxyOverride = *.local

Driver::

0DF0F232A0

File::

c:\windows\system32\0DF0F232A0.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Ok, here's the log: ;)

ComboFix 10-09-01.04 - Leisenring 09/02/2010 9:41.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.113 [GMT -4:00]

Running from: c:\documents and settings\Leisenring\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Leisenring\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\system32\0DF0F232A0.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\0DF0F232A0.sys

.

((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))

.

2010-08-03 17:19 . 2010-08-03 17:19 56112 ---ha-w- c:\windows\system32\mlfcache.dat

2010-08-03 14:58 . 2010-08-31 13:06 63488 ----a-w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-08-03 14:58 . 2010-08-03 14:58 52224 ----a-w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-08-03 14:58 . 2010-08-31 13:05 117760 ----a-w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 13:34 . 2009-02-21 17:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-01 17:10 . 2010-05-24 12:30 120 ----a-w- c:\documents and settings\family account\Local Settings\Application Data\Scetecux.dat

2010-09-01 10:53 . 2010-05-24 12:30 0 ----a-w- c:\documents and settings\family account\Local Settings\Application Data\Mfaxesod.bin

2010-09-01 02:03 . 2010-04-17 21:51 50 ----a-w- c:\documents and settings\family account\jagex__preferences3.dat

2010-09-01 02:03 . 2010-04-17 21:49 46 ----a-w- c:\documents and settings\family account\jagex_runescape_preferences.dat

2010-09-01 02:03 . 2010-04-17 21:51 99 ----a-w- c:\documents and settings\family account\jagex_runescape_preferences2.dat

2010-09-01 00:15 . 2009-03-04 12:45 3400 ----a-w- c:\documents and settings\family account\Application Data\wklnhst.dat

2010-08-29 18:11 . 2009-02-21 12:30 -------- d-----w- c:\program files\SpywareBlaster

2010-08-29 12:04 . 2009-04-03 12:46 117760 ----a-w- c:\documents and settings\family account\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-08-29 03:59 . 2010-08-29 03:59 24 ----a-w- c:\documents and settings\family account\Application Data\hngmfc.dat

2010-08-27 11:57 . 2009-02-23 13:33 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-08-07 20:00 . 2010-05-01 17:20 -------- d-----w- c:\documents and settings\family account\Application Data\gtk-2.0

2010-08-03 20:02 . 2009-08-08 16:50 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-08-03 20:01 . 2009-08-08 16:50 -------- d-----w- c:\program files\ArcSoft

2010-08-03 20:01 . 2006-10-19 08:11 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-03 19:29 . 2009-08-08 16:51 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll

2010-08-03 14:56 . 2009-02-23 13:33 -------- d-----w- c:\documents and settings\Leisenring\Application Data\SUPERAntiSpyware.com

2010-08-03 10:29 . 2010-03-28 16:29 -------- d-----w- c:\documents and settings\family account\Application Data\Apple Computer

2010-08-01 14:37 . 2010-08-01 14:37 0 ----a-w- c:\windows\nsreg.dat

2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-25 13:20 . 2010-06-25 13:20 137 ----a-w- c:\documents and settings\family account\Local Settings\Application Data\fusioncache.dat

2010-06-24 12:22 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-10 17:51 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-10 17:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-10 17:51 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll

2006-11-20 11:30 . 2006-11-20 11:28 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-27 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/21/2009 1:14 PM 135336]

S3 phc700;USB PC Camera (phc700);c:\windows\system32\DRIVERS\phc700.sys --> c:\windows\system32\DRIVERS\phc700.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-02 09:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\l3codeca.acm

.

Completion time: 2010-09-02 09:58:58

ComboFix-quarantined-files.txt 2010-09-02 13:58

ComboFix2.txt 2010-09-02 12:55

Pre-Run: 37,216,243,712 bytes free

Post-Run: 37,174,022,144 bytes free

- - End Of File - - 6731E9B418C08CDCA2A0B8AC67EE662F

Link to post
Share on other sites

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    [*]Check esetAcceptTerms.png

    [*]Click the esetStart.png button.

    [*]Accept any security warnings from your browser.

    [*]Check esetScanArchives.png

    [*]Push the Start button.

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, push esetListThreats.png

    [*]Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    [*]Push the esetBack.png button.

    [*]Push esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

MrC

Link to post
Share on other sites

Good afternoon! The scan just finished, and found 7 threats.. there is the txt file of them.

C:\Documents and Settings\family account\My Documents\New Folder\SetupPlaySushi.exe a variant of Win32/Adware.Gamevance.AK application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\family account\Local Settings\Application Data\gntitoca.dll.vir a variant of Win32/Cimag.DH trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\family account\Local Settings\Application Data\ifewojiyer.dll.vir a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\family account\Local Settings\Application Data\{83A6E955-B9D9-4E91-B6A1-5F7C8FA5C3D4}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP465\A0103434.exe a variant of Win32/Adware.Gamevance.AK application cleaned by deleting - quarantined

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537\A0118308.dll a variant of Win32/Cimag.DH trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537\A0118309.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined

I wasn't sure if you also wanted the log file from the scan. So I'm including that as well, just in case. ;)

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=990ef0f7287dce4ea0d873718602964e

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-09-02 04:39:26

# local_time=2010-09-02 12:39:26 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 39594419 39594419 0 0

# compatibility_mode=768 16777215 100 0 106392627 106392627 0 0

# compatibility_mode=1797 16775125 100 100 0 57388761 0 0

# compatibility_mode=4864 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=73601

# found=7

# cleaned=7

# scan_time=6570

C:\Documents and Settings\family account\My Documents\New Folder\SetupPlaySushi.exe a variant of Win32/Adware.Gamevance.AK application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\family account\Local Settings\Application Data\gntitoca.dll.vir a variant of Win32/Cimag.DH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\family account\Local Settings\Application Data\ifewojiyer.dll.vir a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\family account\Local Settings\Application Data\{83A6E955-B9D9-4E91-B6A1-5F7C8FA5C3D4}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP465\A0103434.exe a variant of Win32/Adware.Gamevance.AK application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537\A0118308.dll a variant of Win32/Cimag.DH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537\A0118309.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

It's running better. Thank you! I logged into the family account, and it started good. The Avira icon is back but it hasn't been updated since the 1st, and the my documents folder didn't open. ;)

The only thing I got was a 3 RUNDLL Error boxs at start up, that said 'The specified module could not be found'

Here are the files in the boxes.

C:\DOCUMENT~1\FAMILY~1\LOCALS~1\Temp\routsink.dll

C:\Documents and settings\Family account\Local settings\Application Data\gntitoca.dll

C:\Documents and settings\Family account\Local settings\Application Data\ifewojiyer.dll

Did I have a virus? And if so is there anything else I can do to keep my cp safe?

Thank you again for all your help!

Link to post
Share on other sites

Those are left over registry entries.

Please do this:

Download TFC to your desktop, it will clean out all the temp files on your system.

Open the file and close any other windows.

It will close all programs itself when run, make sure to let it run uninterrupted.

Click the Start button to begin the process. The program should not take long to finish its job

Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

------------------

Next....

Scan for malware:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

Note: -->Do not run a full scan with MBAM. It is not required or needed.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply along with a fresh HJT log.

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

--------------------------------------------------

Reboot and see how it is.

If you still get the startup message.........

Download and unzip Registry Search from the link below:

http://www.xs4all.nl/~fstaal01/regsearch-us.html

Open up Registry Search and where it says Enter Search String

Enter routsink.dll in the first line

gntitoca.dll in the second line

ifewojiyer.dll in the third line

Now click OK

Post back the log it creates, MrC

Link to post
Share on other sites

I'm still getting the start up message, so I'll try the registry search, you posted.

Below are the logs for MBAM scan, and HJT.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4535

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/3/2010 9:38:34 AM

mbam-log-2010-09-03 (09-38-34).txt

Scan type: Quick scan

Objects scanned: 149534

Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:59:47 AM, on 9/3/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/bmx-freestyle/en/"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab

O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - http://cnn-5.vo.llnwd.net/c1/static/cab_he...pWebUpdater.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--

End of file - 7506 bytes

Link to post
Share on other sites

That's strange, see if this works:

Download and unzip Autoruns for Windows v10.02 to a folder.

http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

Start the program by double clicking on autoruns.exe

Click on each tab and Carefully look for any of these:

routsink.dll

gntitoca.dll

ifewojiyer.dll

NDISRD <-----this may be listed a driver ( NDISRD.sys) or a service

Let me know, MrC

Link to post
Share on other sites

Ok, did the auto run and found the first three, not the last one, and they all said file not found. I copied and pasted the info I saw below:

These 3 were found under the login tab,

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Bzagis File not found: C:\Documents and Settings\family account\Local Settings\Application Data\gntitoca.dll

extrinst File not found: C:\DOCUME~1\FAMILY~1\LOCALS~1\Temp\routsink.dll

Lxekasoqegepazop File not found: C:\Documents and Settings\family account\Local Settings\Application Data\ifewojiyer.dll

I do have a question, I just realized I downloaded and ran the Autorun program in my family account, not the admin account, and it all downloaded fine, but I thought being in non admin account I shouldn't be able to download things right? I'll run it again in my admin account, to see if I find that last file.

Thanks for all you help! ;)

Link to post
Share on other sites

OK, you don't have to look any for that one.

Just copy this in your run box and hit OK (Start > Run)

regedit /e c:\output.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

It will produce a .txt file in "C" called output.txt, copy and post it back here

MrC

Link to post
Share on other sites

It works on my XP machine????

OK, just do this then.

Use Autoruns and uncheck the box in front of these:

Bzagis File not found: C:\Documents and Settings\family account\Local Settings\Application Data\gntitoca.dll

extrinst File not found: C:\DOCUME~1\FAMILY~1\LOCALS~1\Temp\routsink.dll

Lxekasoqegepazop File not found: C:\Documents and Settings\family account\Local Settings\Application Data\ifewojiyer.dll

Reboot and see if the message is gone. MrC

Link to post
Share on other sites

I don't know why it didn't work, I even double checked it.

But the second way worked, so that's good. It restarted without any problems. ;)

So does this mean I'm clean and can delete the programs I downloaded? And is there anyway to tell how I got infected, or how to help prevent it again?

Thank you again for all your help!

Link to post
Share on other sites

OK, you can go back to Autoruns and find those entries, right click on them and choose delete.

That will delete them from the registry.

--------------------------------------

Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

------------------------------

Please do this:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

Ok, Here is the log from the security check:

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 13

Out of date Java installed!

Adobe Flash Player

Adobe Reader 7.0.9

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

````````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````

Link to post
Share on other sites

I do have a question, I just realized I downloaded and ran the Autorun program in my family account, not the admin account, and it all downloaded fine, but I thought being in non admin account I shouldn't be able to download things right?

I'm not sure on the answer to this, you might want to ask in this part of the forum:

http://forums.malwarebytes.org/index.php?showforum=6

---------------------------

I'm not sure how you got infected, all we can do is make sure you're protected now.

I see you only have the Windows firewall installed.

I suggest you install a better one.

The choice is up to you but I recommend and use PC Tools Firewall Plus

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.