|
|
ryanjo34
new user
Reg'd: Thu
Posts: 8
|
|
Hello,
My anti virus found Trojan KillAV.KR using AVG free. I have a feeling there may be more. Both firefox and IE7 act strange. Neither browser will work with any search engine site. My Microsoft update service was disabled (I fixed this, it's enabled now and updated) My background was changed and My screen saver was changed to bugs crawling up the screen...LOL.
Thanks for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:34 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Kelly\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BM3f4799d8] Rundll32.exe "C:\WINDOWS\system32\jpfvxsbg.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: wvUnMDWN - wvUnMDWN.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)
--
End of file - 8904 bytes
|
|
ourwilly
HijackThis Helper
Reg'd: Sun
Posts: 2826
Loc: England.
|
|
Hello ryanjo34
You have a few issues here but before we can use "HijackThis" You must place this into it's own folder, If we ever need to restore any Item then this folder will safely store all entries and enable us to then use the "Back-up" feature that HijackThis offers
To Create a New Folder HijackThis on the C: drive,
Open My Computer ( Windows key + E )
then double click on Local Disk (C:)
Once open right click and select New > Folder and Name the folder as you wish (eg: HijackThis)
Please now move HijackThis.exe into the new folder.
Click on: Start > Run and type in services.msc Click "OK"
In the Services window look for Windows Action Script
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click "Apply" then "OK"
Then please visit this webpage for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log.
|
ryanjo34
new user
Reg'd: Thu
Posts: 8
|
|
Ok here are both combo and Hijack logs.
I hope I did this right.
Thank you
ComboFix 08-05-21.3 - Robbie 2008-05-23 22:45:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -6:00]
Running from: C:\Documents and Settings\Robbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robbie\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\ymante~1
C:\Program Files\Svconr
C:\WINDOWS\BM3f4799d8.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtqnmKA.dll
C:\WINDOWS\system32\awtrSlih.dll
C:\WINDOWS\system32\bheixdkt.ini
C:\WINDOWS\system32\bnbcricg.ini
C:\WINDOWS\system32\bngbvabk.ini
C:\WINDOWS\system32\broqtraw.dll
C:\WINDOWS\system32\bxddnnvk.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\ctalgyve.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\efcYsron.dll
C:\WINDOWS\SYSTEM32\exduusuf.ini
C:\WINDOWS\system32\fccaXNFU.dll
C:\WINDOWS\SYSTEM32\fffgNXyb.ini
C:\WINDOWS\SYSTEM32\fffgNXyb.ini2
C:\WINDOWS\system32\fqnwwvkr.exe
C:\WINDOWS\system32\gvuwuluf.exe
C:\WINDOWS\system32\hfoektql.dll
C:\WINDOWS\system32\hjiafhgb.ini
C:\WINDOWS\system32\hxgxgtot.dll
C:\WINDOWS\system32\idycfngx.exe
C:\WINDOWS\SYSTEM32\iujmmdra.ini
C:\WINDOWS\SYSTEM32\ixusblmf.ini
C:\WINDOWS\system32\jpfvxsbg.dll
C:\WINDOWS\SYSTEM32\jQqYbccf.ini
C:\WINDOWS\system32\kanvhagp.dll
C:\WINDOWS\SYSTEM32\keiuagmf.ini
C:\WINDOWS\system32\kgvmnwqo.ini
C:\WINDOWS\system32\khfGvuTN.dll
C:\WINDOWS\system32\kngttgow.dll
C:\WINDOWS\SYSTEM32\knoqBJjl.ini
C:\WINDOWS\SYSTEM32\knoqBJjl.ini2
C:\WINDOWS\system32\kukisywe.dll
C:\WINDOWS\system32\ljJdcyaY.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhbwwndm.dll
C:\WINDOWS\system32\mrwmlukm.exe
C:\WINDOWS\system32\nhskxsxx.ini
C:\WINDOWS\SYSTEM32\norsYcfe.ini
C:\WINDOWS\SYSTEM32\norsYcfe.ini2
C:\WINDOWS\SYSTEM32\NTuvGfhk.ini
C:\WINDOWS\SYSTEM32\NTuvGfhk.ini2
C:\WINDOWS\system32\ofplwktt.dll
C:\WINDOWS\SYSTEM32\oqruvGgh.ini
C:\WINDOWS\SYSTEM32\oqruvGgh.ini2
C:\WINDOWS\system32\oqwnmvgk.dll
C:\WINDOWS\system32\pmnoNHXQ.dll
C:\WINDOWS\system32\pVFeNXyb.ini
C:\WINDOWS\SYSTEM32\pVFeNXyb.ini2
C:\WINDOWS\system32\qkbwkgcg.exe
C:\WINDOWS\system32\rgfhlhrj.ini
C:\WINDOWS\system32\rgorpqfb.dll
C:\WINDOWS\system32\rjddtuwt.dll
C:\WINDOWS\SYSTEM32\srvavpxv.ini
C:\WINDOWS\system32\svliuauq.dll
C:\WINDOWS\system32\tlvoemoo.exe
C:\WINDOWS\system32\urqQkifG.dll
C:\WINDOWS\system32\utiyhnah.exe
C:\WINDOWS\system32\VCbJRXbc.ini
C:\WINDOWS\SYSTEM32\VCbJRXbc.ini2
C:\WINDOWS\system32\vcyhxaeq.dll
C:\WINDOWS\system32\vjrbugqq.ini
C:\WINDOWS\system32\wpgyowtg.ini
C:\WINDOWS\SYSTEM32\wvxxIRqr.ini
C:\WINDOWS\SYSTEM32\wvxxIRqr.ini2
C:\WINDOWS\system32\xakagwle.dll
C:\WINDOWS\SYSTEM32\XHRrCfii.ini
C:\WINDOWS\SYSTEM32\XHRrCfii.ini2
C:\WINDOWS\system32\yayaXOEx.dll
C:\WINDOWS\SYSTEM32\yuiratuy.ini
C:\WINDOWS\wintst32.tmp
C:\WINDOWS\ystem3~1
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLBDRIVER
-------\Legacy_MSSECURITY1.209.4
-------\Service_clbdriver
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.
2008-05-23 13:43 . 2008-05-23 13:57 <DIR> d-------- C:\HijackThis
2008-05-21 22:46 . 2008-03-01 07:06 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-05-21 22:46 . 2007-04-17 03:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-05-21 22:46 . 2007-03-07 23:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-05-21 22:46 . 2008-03-01 07:06 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-05-21 22:46 . 2008-03-01 07:06 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-05-21 22:46 . 2008-03-01 07:06 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-05-21 22:46 . 2008-03-01 07:06 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-05-21 22:46 . 2008-03-01 07:06 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-05-21 22:46 . 2008-02-22 04:00 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-05-21 21:55 . 2008-05-21 21:56 <DIR> d-------- C:\Program Files\CCleaner
2008-05-21 21:20 . 2008-05-23 22:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 19:43 . 2007-03-29 06:56 409,600 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\qmgr.dll
2008-05-21 19:43 . 2007-03-29 06:56 18,944 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\qmgrprxy.dll
2008-05-21 19:43 . 2007-03-29 06:56 8,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2008-05-21 19:43 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx4.dll
2008-05-21 19:43 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2008-05-21 19:43 . 2007-03-29 06:56 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx4.dll
2008-05-21 18:51 . 2008-05-21 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-21 18:28 . 2008-05-21 18:28 <DIR> d-------- C:\VundoFix Backups
2008-05-21 16:00 . 2004-08-05 09:04 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH\Application Data\Symantec
2008-05-21 16:00 . 2004-08-05 09:02 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH\Application Data\Sonic
2008-05-21 16:00 . 2004-08-05 09:03 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH\Application Data\Jasc Software Inc
2008-05-21 16:00 . 2008-05-21 16:00 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH
2008-05-21 13:52 . 2008-05-21 19:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 13:52 . 2008-05-21 19:15 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\SUPERAntiSpyware.com
2008-05-21 13:52 . 2008-05-21 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 09:20 . 2008-05-21 09:20 100,000 --a------ C:\WINDOWS\SYSTEM32\wyfeenhj.dll
2008-05-21 06:41 . 2008-05-21 06:41 100,000 --a------ C:\WINDOWS\SYSTEM32\vlcfjrbm.dll
2008-05-20 23:46 . 2008-05-23 21:45 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-20 23:41 . 2008-05-23 13:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-05-20 23:41 . 2008-05-20 23:41 <DIR> d-------- C:\Program Files\AVG
2008-05-20 23:41 . 2008-05-20 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 23:41 . 2008-05-20 23:41 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-05-20 23:41 . 2008-05-20 23:41 75,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-05-20 23:41 . 2008-05-20 23:41 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-05-20 23:28 . 2008-05-20 23:42 8,192 --a------ C:\Documents and Settings\Bob
2008-05-20 23:19 . 2008-05-23 22:49 4,014,112 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-05-20 23:19 . 2008-05-23 22:49 46,220 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-05-20 23:14 . 2008-05-20 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-20 23:14 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-20 23:14 . 2008-05-20 23:17 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-05-20 23:13 . 2008-05-20 23:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-05-20 23:12 . 2008-05-23 22:18 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-20 22:34 . 2008-05-20 23:34 16,636 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hosts
2008-05-20 22:23 . 2008-05-20 23:19 <DIR> d-------- C:\Program Files\AXPDefender
2008-05-20 22:23 . 2008-05-20 22:23 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\AXPDefender
2008-05-20 22:16 . 2008-05-23 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 22:05 . 2008-05-20 22:05 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Lavasoft
2008-05-20 21:57 . 2008-05-20 21:57 <DIR> d---s---- C:\Documents and Settings\Kelly\UserData
2008-05-19 20:50 . 2008-05-19 20:50 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\AXPDefender
2008-05-19 09:13 . 2008-05-18 21:13 160,256 --a------ C:\WINDOWS\SYSTEM32\28.tmp
2008-05-18 15:01 . 2008-05-18 15:01 164 --a------ C:\install.dat
2008-05-17 23:22 . 2008-05-20 21:22 160,256 --a------ C:\WINDOWS\SYSTEM32\blackster.scr
2008-05-17 23:22 . 2008-05-18 01:43 10,059 --a------ C:\startup.exe
2008-05-17 17:53 . 2008-05-17 17:53 <DIR> d-------- C:\Documents and Settings\Kelly\Contacts
2008-05-17 15:42 . 2008-05-17 15:42 <DIR> d-------- C:\Program Files\The Little App Factory
2008-05-17 15:28 . 2008-05-21 18:49 <DIR> dr-h----- C:\Documents and Settings\Kelly\Application Data\yahoo!
2008-05-17 15:19 . 2008-05-17 17:44 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Apple Computer
2008-05-17 14:57 . 2008-05-17 15:14 <DIR> d--h----- C:\Documents and Settings\Kelly\Application Data\GTek
2008-05-17 14:54 . 2004-08-05 09:04 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Symantec
2008-05-17 14:54 . 2004-08-05 09:02 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Sonic
2008-05-17 14:54 . 2004-08-05 09:03 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Jasc Software Inc
2008-05-17 14:54 . 2008-05-21 22:26 <DIR> d-------- C:\Documents and Settings\Kelly
2008-04-28 22:09 . 2008-04-28 22:09 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-28 21:07 . 2008-05-21 18:49 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-28 18:54 . 2008-04-28 18:55 <DIR> d-------- C:\Program Files\RcvSystem
2008-04-27 11:11 . 2002-08-29 04:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 04:05 --------- d-----w C:\Program Files\Yahoo!
2008-05-22 00:49 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-21 04:17 --------- d-----w C:\Program Files\Lavasoft
2008-04-28 04:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-23 00:04 --------- d-----w C:\Program Files\John Deere American Farmer
2008-04-19 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
1998-04-02 22:51 77,312 --sha-r C:\WINDOWS\ic.exe
1998-04-02 22:55 80,384 --sha-r C:\WINDOWS\icfire.exe
1997-07-23 17:03 11,338 -csha-r C:\WINDOWS\ts.dll
2005-02-01 03:34 32 -csha-w C:\WINDOWS\{3428C5EB-E2C4-4D21-9540-AC08C6B6A426}.dat
2005-02-01 03:34 32 -csha-w C:\WINDOWS\{36168E7F-889D-4096-9F09-6B5B8F053D01}.dat
2005-02-01 03:35 32 -csha-w C:\WINDOWS\{4C58F17D-90C4-4FBD-AAFD-65BEE7C000F4}.dat
2005-02-01 03:35 32 -csha-w C:\WINDOWS\{7F3F0BDF-1B9E-454C-A325-B06786DEBC2F}.dat
2005-02-01 03:35 32 -csha-w C:\WINDOWS\{94BDA1C0-AA82-498C-A673-E86D2FC51F35}.dat
2005-02-01 03:34 32 -csha-w C:\WINDOWS\{AFD3D1DD-313A-4171-B062-9AB425048A42}.dat
2005-02-01 03:35 32 --sha-w C:\WINDOWS\SYSTEM32\{0FF0D07F-8BD6-4BC1-AA77-FF7E7E0CAABC}.dat
2005-02-01 03:34 32 --sha-w C:\WINDOWS\SYSTEM32\{14EA3416-765B-46DD-B71D-0F22CA273181}.dat
2005-02-01 03:35 32 --sha-w C:\WINDOWS\SYSTEM32\{1F6B4FF7-22B6-4B48-B495-FDA7E0CABA42}.dat
2005-02-01 03:34 32 --sha-w C:\WINDOWS\SYSTEM32\{82AE451B-4167-44C4-A089-3B51123F6120}.dat
2005-02-01 03:35 32 --sha-w C:\WINDOWS\SYSTEM32\{989DA4A2-5E78-4D4F-9221-3962EF8999CE}.dat
2005-02-01 03:34 32 --sha-w C:\WINDOWS\SYSTEM32\{CB99ED97-D119-40E8-A494-709D1084512B}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 04:17 81920]
"WebCamRT.exe"="" []
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44 126976]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 13:12 290816]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-05 09:00 26112]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-20 23:41 1177368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnMDWN]
wvUnMDWN.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-20 23:41]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-20 23:41]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-20 23:41]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-20 23:41]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 11:11]
S3 XIRLINK;IBM PC Camera;C:\WINDOWS\system32\DRIVERS\C-itnt.sys [2001-08-01 15:49]
S4 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 21:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 22:52:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-23 22:59:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 04:59:33
Pre-Run: 51,115,417,600 bytes free
Post-Run: 51,352,621,056 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
298 --- E O F --- 2008-05-23 19:43:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:50 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HijackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: wvUnMDWN - wvUnMDWN.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 7282 bytes
|
ourwilly
HijackThis Helper
Reg'd: Sun
Posts: 2826
Loc: England.
|
|
Hello ryanjo34
Thank you for doing that. Please Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.
1. Open HijackThis again, select "Do a System Scan only" and place a checkmark in the boxes before the following entries:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - Winlogon Notify: wvUnMDWN - wvUnMDWN.dll (file missing)
Close all other open windows and click on Fix checked, then exit HijackThis.
2. Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
3. Please Open notepad - don't use any other text editor
I would like you to now Copy/paste the text in the quotebox below into notepad:
Quote:
File::
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\SYSTEM32\28.tmp
C:\WINDOWS\SYSTEM32\blackster.scr
C:\startup.exe
Driver::
Windows Action Script
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnMDWN]
Name the file CFScript and Save it to your Desktop
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Run ComboFix again and post the resultant log along with a new HijackThis log and SDFix report
|
ryanjo34
new user
Reg'd: Thu
Posts: 8
|
|
Ok I went to safe mode and started SDFix and couldnt type Y in because my keyboard doesn't work in safe mode? Any Ideas
Thank you
|
ourwilly
HijackThis Helper
Reg'd: Sun
Posts: 2826
Loc: England.
|
|
Hello ryanjo34
Quote:
my keyboard doesn't work in safe mode
What type of connection is your keyboard, do you have a spare keyboard with a different connection: http://www.computerhope.com/issues/ch000449.htm
If not instead of the SDFIx instructions, this should help clean things up a little
Download MalwareBytes Anti-malware (MBAM) from one of the following links:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
Once downloaded, close all programs and Windows on your computer (including this one.)
Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.
On the Scanner tab, make sure the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results.
Make sure all entries have a checkmark at their far left.
Click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs' quarantine.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then do a File, Save and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.
Please continue with the Combofix script in step 3 and post the new log, the MBAM results and a new HijackThis log in your next reply.
|
ryanjo34
new user
Reg'd: Thu
Posts: 8
|
|
Ok I used a different keyboard and stuck to plan A. Everything seems to be working alot better. Here are all three logs.
Thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:31 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\HijackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 7055 bytes
ComboFix 08-05-21.3 - Robbie 2008-05-25 7:10:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -6:00]
Running from: C:\Documents and Settings\Robbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robbie\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\startup.exe
C:\WINDOWS\SYSTEM32\28.tmp
C:\WINDOWS\SYSTEM32\blackster.scr
C:\WINDOWS\system32\scvhost.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\startup.exe
C:\WINDOWS\SYSTEM32\blackster.scr
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINDOWS_ACTION_SCRIPT
-------\Service_Windows Action Script
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.
2008-05-25 07:03 . 2004-08-04 02:56 21,504 --a------ C:\WINDOWS\SYSTEM32\hidserv.dll
2008-05-25 07:03 . 2004-08-04 02:56 21,504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidserv.dll
2008-05-25 07:03 . 2004-08-04 00:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys
2008-05-25 07:03 . 2004-08-04 00:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\kbdhid.sys
2008-05-25 06:41 . 2008-05-25 06:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-24 08:56 . 2008-05-25 07:05 <DIR> d-------- C:\SDFix
2008-05-23 13:43 . 2008-05-24 08:33 <DIR> d-------- C:\HijackThis
2008-05-21 22:46 . 2008-03-01 07:06 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-05-21 22:46 . 2007-04-17 03:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-05-21 22:46 . 2007-03-07 23:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-05-21 22:46 . 2008-03-01 07:06 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-05-21 22:46 . 2008-03-01 07:06 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-05-21 22:46 . 2008-03-01 07:06 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-05-21 22:46 . 2008-03-01 07:06 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-05-21 22:46 . 2008-03-01 07:06 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-05-21 22:46 . 2008-02-22 04:00 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-05-21 21:55 . 2008-05-21 21:56 <DIR> d-------- C:\Program Files\CCleaner
2008-05-21 21:20 . 2008-05-23 22:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 19:43 . 2007-03-29 06:56 409,600 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\qmgr.dll
2008-05-21 19:43 . 2007-03-29 06:56 18,944 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\qmgrprxy.dll
2008-05-21 19:43 . 2007-03-29 06:56 8,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2008-05-21 19:43 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx4.dll
2008-05-21 19:43 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2008-05-21 19:43 . 2007-03-29 06:56 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx4.dll
2008-05-21 18:51 . 2008-05-21 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-21 18:28 . 2008-05-21 18:28 <DIR> d-------- C:\VundoFix Backups
2008-05-21 16:00 . 2004-08-05 09:04 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH\Application Data\Symantec
2008-05-21 16:00 . 2004-08-05 09:02 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH\Application Data\Sonic
2008-05-21 16:00 . 2004-08-05 09:03 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH\Application Data\Jasc Software Inc
2008-05-21 16:00 . 2008-05-21 16:00 <DIR> d-------- C:\Documents and Settings\Administrator.DORNBUSH
2008-05-21 13:52 . 2008-05-21 19:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 13:52 . 2008-05-21 19:15 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\SUPERAntiSpyware.com
2008-05-21 13:52 . 2008-05-21 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 09:20 . 2008-05-21 09:20 100,000 --a------ C:\WINDOWS\SYSTEM32\wyfeenhj.dll
2008-05-21 06:41 . 2008-05-21 06:41 100,000 --a------ C:\WINDOWS\SYSTEM32\vlcfjrbm.dll
2008-05-20 23:46 . 2008-05-23 21:45 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-20 23:41 . 2008-05-24 09:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-05-20 23:41 . 2008-05-20 23:41 <DIR> d-------- C:\Program Files\AVG
2008-05-20 23:41 . 2008-05-20 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 23:41 . 2008-05-20 23:41 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-05-20 23:41 . 2008-05-20 23:41 75,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-05-20 23:41 . 2008-05-20 23:41 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-05-20 23:28 . 2008-05-20 23:42 8,192 --a------ C:\Documents and Settings\Bob
2008-05-20 23:19 . 2008-05-25 07:20 4,192,288 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-05-20 23:19 . 2008-05-25 07:14 50,180 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-05-20 23:14 . 2008-05-20 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-20 23:14 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-20 23:14 . 2008-05-20 23:17 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-05-20 23:13 . 2008-05-20 23:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-05-20 23:12 . 2008-05-25 07:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-20 22:23 . 2008-05-20 23:19 <DIR> d-------- C:\Program Files\AXPDefender
2008-05-20 22:23 . 2008-05-20 22:23 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\AXPDefender
2008-05-20 22:16 . 2008-05-23 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 22:05 . 2008-05-20 22:05 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Lavasoft
2008-05-20 21:57 . 2008-05-20 21:57 <DIR> d---s---- C:\Documents and Settings\Kelly\UserData
2008-05-19 20:50 . 2008-05-19 20:50 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\AXPDefender
2008-05-18 15:01 . 2008-05-18 15:01 164 --a------ C:\install.dat
2008-05-17 17:53 . 2008-05-17 17:53 <DIR> d-------- C:\Documents and Settings\Kelly\Contacts
2008-05-17 15:42 . 2008-05-17 15:42 <DIR> d-------- C:\Program Files\The Little App Factory
2008-05-17 15:28 . 2008-05-21 18:49 <DIR> dr-h----- C:\Documents and Settings\Kelly\Application Data\yahoo!
2008-05-17 15:19 . 2008-05-17 17:44 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Apple Computer
2008-05-17 14:57 . 2008-05-17 15:14 <DIR> d--h----- C:\Documents and Settings\Kelly\Application Data\GTek
2008-05-17 14:54 . 2004-08-05 09:04 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Symantec
2008-05-17 14:54 . 2004-08-05 09:02 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Sonic
2008-05-17 14:54 . 2004-08-05 09:03 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\Jasc Software Inc
2008-05-17 14:54 . 2008-05-21 22:26 <DIR> d-------- C:\Documents and Settings\Kelly
2008-04-28 22:09 . 2008-04-28 22:09 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-28 21:07 . 2008-05-21 18:49 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-28 18:54 . 2008-04-28 18:55 <DIR> d-------- C:\Program Files\RcvSystem
2008-04-27 11:11 . 2002-08-29 04:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 12:12 86,016 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-24 15:31 240,128 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-24 15:31 1,453,056 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-24 03:59 1,448,448 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-22 22:23 569,856 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-22 22:23 1,445,376 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-22 04:05 --------- d-----w C:\Program Files\Yahoo!
2008-05-22 03:26 1,418,752 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-22 00:49 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-21 15:49 1,340,416 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-21 04:17 --------- d-----w C:\Program Files\Lavasoft
2008-04-28 04:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-23 00:04 --------- d-----w C:\Program Files\John Deere American Farmer
2008-04-19 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-03 03:07 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-02 00:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
1998-04-02 22:51 77,312 --sha-r C:\WINDOWS\ic.exe
1998-04-02 22:55 80,384 --sha-r C:\WINDOWS\icfire.exe
1997-07-23 17:03 11,338 -csha-r C:\WINDOWS\ts.dll
2005-02-01 03:34 32 -csha-w C:\WINDOWS\{3428C5EB-E2C4-4D21-9540-AC08C6B6A426}.dat
2005-02-01 03:34 32 -csha-w C:\WINDOWS\{36168E7F-889D-4096-9F09-6B5B8F053D01}.dat
2005-02-01 03:35 32 -csha-w C:\WINDOWS\{4C58F17D-90C4-4FBD-AAFD-65BEE7C000F4}.dat
2005-02-01 03:35 32 -csha-w C:\WINDOWS\{7F3F0BDF-1B9E-454C-A325-B06786DEBC2F}.dat
2005-02-01 03:35 32 -csha-w C:\WINDOWS\{94BDA1C0-AA82-498C-A673-E86D2FC51F35}.dat
2005-02-01 03:34 32 -csha-w C:\WINDOWS\{AFD3D1DD-313A-4171-B062-9AB425048A42}.dat
2005-02-01 03:35 32 --sha-w C:\WINDOWS\SYSTEM32\{0FF0D07F-8BD6-4BC1-AA77-FF7E7E0CAABC}.dat
2005-02-01 03:34 32 --sha-w C:\WINDOWS\SYSTEM32\{14EA3416-765B-46DD-B71D-0F22CA273181}.dat
2005-02-01 03:35 32 --sha-w C:\WINDOWS\SYSTEM32\{1F6B4FF7-22B6-4B48-B495-FDA7E0CABA42}.dat
2005-02-01 03:34 32 --sha-w C:\WINDOWS\SYSTEM32\{82AE451B-4167-44C4-A089-3B51123F6120}.dat
2005-02-01 03:35 32 --sha-w C:\WINDOWS\SYSTEM32\{989DA4A2-5E78-4D4F-9221-3962EF8999CE}.dat
2005-02-01 03:34 32 --sha-w C:\WINDOWS\SYSTEM32\{CB99ED97-D119-40E8-A494-709D1084512B}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-05-23_22.59.07.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 04:50:34 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-25 13:15:25 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-23 09:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-25 12:41:37 745,472 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-25 12:41:37 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-23 09:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-25 12:41:23 745,472 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-25 12:41:23 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 04:17 81920]
"WebCamRT.exe"="" []
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44 126976]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 13:12 290816]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-05 09:00 26112]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-20 23:41 1177368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-20 23:41]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-20 23:41]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-20 23:41]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-20 23:41]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 11:11]
S3 XIRLINK;IBM PC Camera;C:\WINDOWS\system32\DRIVERS\C-itnt.sys [2001-08-01 15:49]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 21:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 07:16:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-25 7:24:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 13:24:45
ComboFix2.txt 2008-05-24 04:59:41
Pre-Run: 51,199,479,808 bytes free
Post-Run: 51,186,991,104 bytes free
240 --- E O F --- 2008-05-23 19:43:56
SDFix: Version 1.185
Run by Administrator on Sun 05/25/2008 at 06:49 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\28.tmp - Deleted
C:\WINDOWS\system32\drivers\hosts - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 07:00:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 2 Apr 1998 77,312 A.SHR --- "C:\WINDOWS\ic.exe"
Thu 2 Apr 1998 80,384 A.SHR --- "C:\WINDOWS\icfire.exe"
Wed 23 Jul 1997 11,338 A.SHR --- "C:\WINDOWS\ts.dll"
Tue 27 Dec 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf0471ca1f3f12affe6c8fea1ffc6ddb\BIT28.tmp"
Sat 17 May 2008 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 17 May 2008 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 17 May 2008 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 17 May 2008 8 A..H. --- "C:\Documents and Settings\Kelly\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Finished!
|
ourwilly
HijackThis Helper
Reg'd: Sun
Posts: 2826
Loc: England.
|
|
Hello ryanjo34
Quote:
Ok I used a different keyboard and stuck to plan A. Everything seems to be working alot better
Thats great, Thank you for letting me know.
---------------
1. Please go to: http://virusscan.jotti.org/
At the top select the Browse button then navigate to this File and Submit it to be scanned.
C:\WINDOWS\SYSTEM32\wyfeenhj.dll
Then Repeat for this file:
C:\WINDOWS\SYSTEM32\vlcfjrbm.dll
Please Copy & Paste both results in your next reply.
2. Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Update Java:
Go here and download the latest version of Java Runtime Environment (JRE) 6 Update 6
http://java.sun.com/javase/downloads/index.jsp
Go to Start > Control Panel double-click Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select any found and click Remove.
Then install the version you downloaded earlier.
3. Install and run through the MalwareBytes Anti-malware instructions from before and post the results, a new HijackThis log and also the Jotti results
|
ryanjo34
new user
Reg'd: Thu
Posts: 8
|
|
Ok here are the three logs you requested. I updated Java and it installed 3 things:
Java DB 10.3.1.4
Java(TM)6 update 6
Java(TM)SE Development kit 6 update 6
These 3 show in the add or remove list now. Is this correct?
Thank you
Service load: 0% 100%
File: wyfeenhj.dll
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 7e8b109a4f7851fd1b1fd5ebe49e1e0f
Packers detected: -
Scanner results
Scan taken on 25 May 2008 14:53:45 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:Vundo@dll
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Virus.Win32.Vundo@dll
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Service load: 0% 100%
File: vlcfjrbm.dll
MD5: 7e8b109a4f7851fd1b1fd5ebe49e1e0f
Packers detected: -
Scanner results
Scan taken on 25 May 2008 15:14:44 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:Vundo@dll
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Virus.Win32.Vundo@dll
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Malwarebytes' Anti-Malware 1.12
Database version: 788
Scan type: Quick Scan
Objects scanned: 40229
Time elapsed: 7 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 25
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\BrowserObjects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robbie\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\BrowserObjects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:58 AM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svc | |
Previous
Index
Next
Threaded
Edit
Reply
Quote
