Jump to content

Windows Update goes to MSN &


Recommended Posts

My windows update goes to MSN and I cannot get to the Update page even if I manually type the address in. I've ran & deleted the files Malware finds but they come back. I've booted in safe mode and ran it as well and disabled re-store before doing so and the same files re-appear and the windows update doesn't ever work.---HELP

MBAM Log-

Malwarebytes' Anti-Malware 1.30

Database version: 1334

Windows 5.1.2600 Service Pack 3

10/29/2008 8:04:12 AM

mbam-log-2008-10-29 (08-04-00).txt

Scan type: Full Scan (C:\|L:\|)

Objects scanned: 190674

Time elapsed: 6 hour(s), 40 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146 85.255.112.19 1.2.3.4 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f515b4d4-df87-4744-a05d-59ecebf4ab6b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146 85.255.112.19 1.2.3.4 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146 85.255.112.19 1.2.3.4 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f515b4d4-df87-4744-a05d-59ecebf4ab6b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146 85.255.112.19 1.2.3.4 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146 85.255.112.19 1.2.3.4 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f515b4d4-df87-4744-a05d-59ecebf4ab6b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146 85.255.112.19 1.2.3.4 -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Panda Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-10-30 06:52:26

PROTECTIONS: 1

MALWARE: 33

SUSPECTS: 2

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

CA Anti-Virus 9.0.0.174 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@trafficmp[1].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@trafficmp[2].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@trafficmp[1].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@casalemedia[1].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@casalemedia[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Local Settings\Temp\Cookies\debbie@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Scott\Cookies\scott@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@doubleclick[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Local Settings\Temp\Cookies\debbie@atdmt[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@247realmedia[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@fastclick[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@fastclick[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@fastclick[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@mediaplex[2].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@mediaplex[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Scott\Cookies\scott@statcounter[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@statcounter[1].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@perf.overture[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Local Settings\Temp\Cookies\debbie@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@ad.yieldmanager[2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@burstnet[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@serving-sys[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@bs.serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@bs.serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@bs.serving-sys[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Local Settings\Temp\Cookies\debbie@advertising[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@advertising[1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@adrevolver[3].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@statse.webtrendslive[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@ads.pointroll[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@ads.pointroll[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@ads.pointroll[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@overture[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@realmedia[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@realmedia[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@questionmarket[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@zedo[2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@zedo[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Local Settings\Temp\Cookies\debbie@zedo[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@zedo[2].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@bluestreak[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@adrevolver[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@adrevolver[1].txt

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adultfriendfinder[1].txt

00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@valueclick[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Debbie\Cookies\debbie@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Scott\Cookies\scott@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Scott\Cookies\scott@atwola[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No L:\Debbie's Stuff\Debbie's stuf 9-5-07\Documents and Settings\Cookies\debbie@ads.addynamix[2].txt

00959234 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.1.0.037\npwthost.dll

01048936 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll

01240432 Adware/MyWay Adware No 0 No No C:\WINDOWS\Downloaded Installations\{6936DB8E-F8FF-4007-B646-0CBD4AB654B1}\AquaSupreme.msi[unk_0064][myBarSp.exe]

01313177 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\WildTangent\Components\wtPropertyBag0200.dll

03982751 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.007\npwthost.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No C:\Program Files\NoAdware5.0\nutils.dll

No C:\Program Files\NoAdware5.0\nutils.dll

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

HiJack This Scan-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:54:41 AM, on 10/30/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NoAdware5.0\NoAdware5.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\AOL\1137212081\ee\aolsoftware.exe

C:\Program Files\America Online 9.0\waol.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NoAdware5] "C:\Program Files\NoAdware5.0\NoAdware5.exe" :Min:

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O24 - Desktop Component 0: Privacy Protection - (no file)

--

End of file - 7130 bytes

Link to post
Share on other sites

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD :). I will be helping you with your infection. However, it is important to take note of ten things - quite the wall of text, I know, but please bear with me:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Only YOU must use these instructions, they are not suitable for any other computer with similar problems.
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you were to do the same. From this point, we're in this together :)
  • As I am still in training at the Malware Removal University, anything I do must be checked by an experienced malware fighter. This means there might be a slight delay in my answers.
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

I am now analyzing your situation and hope to be back with you soon. While I am reviewing your situation, could you please do the following for me:

Make an Uninstall List

I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place.
Link to post
Share on other sites

Hi again Fire926

SmitfraudFix

Download SmitfraudFix, save it to your desktop, and run it.

Select option 1 - Search by typing 1 and then pressing Enter. The tool will then begin to scan your computer. When it finishes, it creates a log in the root of your drive, with a name of Rapport.txt This report is accessible by clicking Start :arrow: Run, then entering the following and pressing Enter:

\rapport.txt

Please post the contents of rapport.txt in your next reply

Blacklight

Download F-Secure Blacklight to the root of your drive (usually C:\).

  • Click Start :arrow: Run and copy & paste the following:
    \fsbl /expert


  • Then click OK
  • Click I accept the agreement, then Scan to start the scan
  • After the scan has finished, EXIT Blacklight. Do not choose to rename any items, because legitimate items might be present!
  • Post the fsbl-xxxxxxx.log logfile that was made (can be found in the same directory as Blacklight). xxxxxxx are numbers representing the current date.

Please post back:

- Smitfraudfix log

- Blacklight log

- New Hijackthis log

- Uninstall list I asked for in my previous post

- How is the PC running now?

Link to post
Share on other sites

Hi again Fire926,

There are some programs that must be uninstalled. I have provided a clarification when suitable.

To uninstall a program: Click Start > Control Panel > Add/Remove programs. Select the program to be uninstalled and click Remove.

The following are related to malware and should be uninstalled:

Full Tilt Poker

Paltalk

WONplay

The following was until recently listed as a rogue product:

NoAdware 5.0

The following I do not recognize - if you don't recognize it either you should uninstall it:

petty_43_01 Screen Saver

The following is a risk to use - the registry is very tolerant of orphans and the risk of accidentally breaking something is high:

Registry Mechanic 6.0

The following is considered a 'gray area'-item; it is not technically spyware but can be considered unwanted. If you don't use it, uninstall it:

WildTangent Web Driver

The following are outdated and are now a security risk, so please uninstall:

J2SE Runtime Environment 5.0 Update 2

J2SE Runtime Environment 5.0 Update 4

J2SE Runtime Environment 5.0 Update 6

Java 2 Runtime Environment, SE v1.4.2_06

The following item is an optional removal, but recommended, as it can bring malware along if you don't use it carefully:

K-litePro 3.0.0.0

OK, next start Hijackthis, put a check next to these and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKCU\..\Run: [NoAdware5] "C:\Program Files\NoAdware5.0\NoAdware5.exe" :Min:

O24 - Desktop Component 0: Privacy Protection - (no file)

Copy/paste this to notepad:

chdir "%Userprofile%\Desktop"dir /l/a/b "C:\Program Files\">ODPostThis.txtdel %0

Save it to your desktop as "ODCheckIt.bat", please include the quotes. Double click the file. A black box will open, and a notepad file will be created on your desktop.

The file that was created on your desktop is something I would like to see in your next post.

Also, please do the following:

Delete hijacked DNS settings using SmitfraudFix

  • Start SmitfraudFix and select option 5
  • If a DNS hijack has been found, choose Yes
  • When finished, notepad will open with rapport.txt, please post that file in your next reply

Reset hijacked DNS settings

  • Open the Control Panel by clicking Start :arrow: Control Panel
  • If you're using category view, click Network and Internet Connections. (If you're not using category view, skip this step)
  • Click Network Connections
  • Right click your default connection
  • Click Properties
  • Click the Networking tab
  • Double click Internet Protocol (TCP/IP)
  • Click the radio button next to Obtain DNS servers automatically
  • Press OK twice
  • Reboot if asked

After performing all that, please download the latest version of Sun Java from here. The site is a bit confusing; this is what you should do:

  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 10.
  • Click the Download button to the right.
  • Choose the correct Platform and Multi-language. Also, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Now, click Continue.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Now, close all other windows. Including Internet Explorer.
  • You can now install Java by double-clicking the executable you just downloaded.

In your next post, please post

- rapport.txt

- ODPostThis.txt (that file is located on your desktop)

- new hijackthis log

- new uninstall list

- how are things running?

Link to post
Share on other sites

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.