Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] AdvanceCleaner and Popups


  • This topic is locked This topic is locked
10 replies to this topic

#1 Emma_m

Emma_m

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 17 January 2008 - 07:18 PM

Hi

My system seems to be infected with AdvanceCleaner. It keeps asking me to install. I also get alot of popups, which in turn creates alot of cookies. I have Trend Micro which tries to clean it up but it keeps coming back. This log was taken after Trend had done a Full System Scan. I have also started getting a Runtime error.

Here is my Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:22 PM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\JMRaidTool.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe
C:\Program Files\Internode\mum.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [svchost_sprn.exe] C:\Documents and Settings\Murray Family\My Documents\TV Torrents Info\svrsrn.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [70f2bac7] rundll32.exe "C:\WINDOWS\system32\miekefum.dll",b
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: LAN Chat.lnk = C:\Program Files\Fomine LAN Chat\LANChat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166932314968
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.extrafilm...geUploader3.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://msnau.oberon-...pt.1.0.0.21.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://msnau.oberon-...ploader_v10.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.co...upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DC41085-78D3-4199-B592-1D9A3127A34A}: NameServer = 192.231.203.132,192.231.203.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{5DC41085-78D3-4199-B592-1D9A3127A34A}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://mysite.verizo...1j5/snowing.gif

Appreciate any help!

Thanks

Emma

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 January 2008 - 08:30 AM

Hello Emma_m and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


A. Please provide a list of uninstallable programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.


B. Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • First, physically disconnect your computer from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix.
  • Now you may reconnect your machine to the internet and post the logs

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 Emma_m

Emma_m

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 18 January 2008 - 04:19 PM

Hi Trevuren,

Here are the logs you requested:

µTorrent
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
AncestryView V2
ArcSoft VideoImpression 1.6FP
AVS DVDMenu Editor 1.0.0.5
AVS Video Tools 5.5
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CardPlayer Poker
Dora Backpack
Dora Dance Rescue
Dora Lost City
DVD Shrink 3.2
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX6000_CX5900 User's Guide
Family Tree Maker 2006
FinePixViewer Ver.3.0
Fomine LAN Chat
FUJIFILM USB Driver
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Hotfix for Windows XP (KB935448)
ImgBurn (Remove Only)
InCD
Internode Monthly Usage Meter 6.4s
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
JRAID
LG ODD Auto Firmware Update
Macrogaming SweetIM 2.0
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero OEM
Nero PhotoShow Express 4
Nokia Connectivity Cable Driver
NVIDIA Drivers
NVIDIA WDM Drivers
Paragon Hard Disk Manager 6.0
PC Connectivity Solution
PhotoNow! 1.0
PIF DESIGNER
Plaxo Toolbar for Outlook and Outlook Express
PowerDirector
PowerISO
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SiSAGP driver
Skype 3.0
Skype Plugin Manager
SweetIM For Internet Explorer 3.0b
Trend Micro Internet Security
Trend Micro Internet Security
UltimateBuddy
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VideoLAN VLC media player 0.8.6
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
X10 Hardware™

---------------------------------------------------------------------------------------------------------------------

ComboFix 08-01-18.5 - Murray Family 2008-01-19 8:58:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.546 [GMT 11:00]
Running from: C:\Documents and Settings\Murray Family\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mufekeim.ini
C:\WINDOWS\system32\ouijrvlu.ini
C:\WINDOWS\system32\tcgawaas.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-19 08:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 10:48 . 2008-01-18 10:48 3,858 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 22:26 . 2008-01-17 22:27 <DIR> d-------- C:\dfa492afcb4802658a943e4f03902106
2008-01-17 22:21 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-17 22:21 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-17 22:21 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-15 17:43 . 2008-01-17 22:10 <DIR> d-------- C:\Program Files\MSN Games
2008-01-15 17:43 . 2008-01-15 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Oberon
2008-01-13 10:56 . 2008-01-13 10:56 <DIR> d-------- C:\Documents and Settings\Murray Family\Application Data\PlayFirst
2008-01-13 10:56 . 2008-01-13 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-12 17:12 . 2008-01-12 17:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 17:12 . 2008-01-12 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 20:08 . 2008-01-11 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-01-03 16:06 . 2008-01-12 18:56 <DIR> d-------- C:\Program Files\Fomine LAN Chat
2008-01-01 13:57 . 2008-01-01 13:57 1,409 --a------ C:\WINDOWS\system32\tmpD4E6D.FOT
2008-01-01 13:57 . 2008-01-01 13:57 1,409 --a------ C:\WINDOWS\system32\tmpACE6D.FOT
2008-01-01 13:57 . 2008-01-01 13:57 1,409 --a------ C:\WINDOWS\system32\tmp36D6D.FOT
2008-01-01 13:57 . 2008-01-01 13:57 1,409 --a------ C:\WINDOWS\system32\tmp2EA6D.FOT
2008-01-01 13:57 . 2008-01-01 13:57 1,409 --a------ C:\WINDOWS\system32\tmp0ED6D.FOT
2007-12-31 06:45 . 2007-12-31 06:47 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-12-20 20:09 . 2008-01-17 18:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 22:02 --------- d-----w C:\Program Files\lg_fwupdate
2008-01-18 21:52 --------- d-----w C:\Program Files\Plaxo
2008-01-18 21:45 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\uTorrent
2008-01-17 23:59 --------- d-----w C:\Program Files\Trend Micro
2008-01-17 11:21 --------- d-----w C:\Program Files\Internode
2008-01-17 11:21 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\Internode
2008-01-17 11:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-17 03:43 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\dvdcss
2008-01-16 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-20 08:35 --------- d-----w C:\Program Files\CardPlayer Poker
2007-12-09 01:42 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\Skype
2007-11-21 02:51 --------- d-----w C:\Program Files\PFConfig
2004-10-01 04:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9504b95b-c212-4395-bb7b-fbd36cf86af2}]
C:\WINDOWS\system32\ethyafdq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InternodeUsage"="C:\PROGRA~1\INTERN~2\mum.exe" [2008-01-17 22:21 1333760]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-11 06:52 249856]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 17:53 73840]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 00:30 488712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 20:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 20:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 20:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2006-04-20 19:07 385024]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 13:06 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-08 12:36 249856]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 18:59 16206848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-04-24 18:20 1448960 C:\WINDOWS\SkyTel.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 18:09 200704]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 17:53 73840]
"svchost_sprn.exe"="C:\Documents and Settings\Murray Family\My Documents\TV Torrents Info\svrsrn.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"70f2bac7"="C:\WINDOWS\system32\miekefum.dll" [ ]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-12-16 18:25 1393928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 18:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2007-03-22 15:16:35]
LAN Chat.lnk - C:\Program Files\Fomine LAN Chat\LANChat.exe [2007-10-13 22:44:04]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkifff]
jkkifff.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mllji.dll

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2005-04-29 01:47]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-03-16 15:36]
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2005-04-14 23:42]
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2005-04-14 23:42]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 07:30:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-18 22:01:44 C:\WINDOWS\Tasks\Microsoft Office Outlook 2003.job"
- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Outlook 2003.lnk
"2008-01-18 11:46:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{7AB43523-0979-4E51-9961-7AA07650A6B7}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 09:03:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 9:05:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 22:05:38
.
2008-01-17 11:27:02 --- E O F ---

---------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:01 AM, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\JMRaidTool.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {2fa68fc6-3dbf-b7bb-5934-212cb59b4059} - {9504b95b-c212-4395-bb7b-fbd36cf86af2} - C:\WINDOWS\system32\ethyafdq.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [svchost_sprn.exe] C:\Documents and Settings\Murray Family\My Documents\TV Torrents Info\svrsrn.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [70f2bac7] rundll32.exe "C:\WINDOWS\system32\miekefum.dll",b
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: LAN Chat.lnk = C:\Program Files\Fomine LAN Chat\LANChat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166932314968
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.extrafilm...geUploader3.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://msnau.oberon-...pt.1.0.0.21.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://msnau.oberon-...ploader_v10.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.co...upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DC41085-78D3-4199-B592-1D9A3127A34A}: NameServer = 192.231.203.132,192.231.203.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{5DC41085-78D3-4199-B592-1D9A3127A34A}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O20 - Winlogon Notify: jkkifff - jkkifff.dll (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://mysite.verizo...1j5/snowing.gif

--
End of file - 9014 bytes

-------------------------------------------------------------------------------------------------------------------------

I now seem to have a RUNDLL error

Error Loading C:\WINDOWS\system32\miekefum.dll

This specified module could not be found.

Your turn now!..

Emma

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 January 2008 - 04:54 PM

A. Using the Add/Remove Progam module in your Control Panel, please UNINSTALL the following program:

UltimateBuddy


Justification for the above can be found here, if needed: http://www.bleepingc...tall/Cat-U.html



B. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
    O2 - BHO: {2fa68fc6-3dbf-b7bb-5934-212cb59b4059} - {9504b95b-c212-4395-bb7b-fbd36cf86af2} - C:\WINDOWS\system32\ethyafdq.dll (file missing)
    O4 - HKLM\..\Run: [svchost_sprn.exe] C:\Documents and Settings\Murray Family\My Documents\TV Torrents Info\svrsrn.exe
    O4 - HKLM\..\Run: [70f2bac7] rundll32.exe "C:\WINDOWS\system32\miekefum.dll",b
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://msnau.oberon-...ploader_v10.cab
    O20 - Winlogon Notify: jkkifff - jkkifff.dll (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


C.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\tmpD4E6D.FOT
C:\WINDOWS\system32\tmpACE6D.FOT
C:\WINDOWS\system32\tmp36D6D.FOT
C:\WINDOWS\system32\tmp2EA6D.FOT
C:\WINDOWS\system32\tmp0ED6D.FOT
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\drivers\oreans32.sys

Folder::
C:\dfa492afcb4802658a943e4f03902106
C:\Documents and Settings\All Users\Application Data\PopCap
C:\Program Files\UltimateBuddy

Driver::
oreans32
SetupNTGLM7X

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


D. I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.


Your turn Emma
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 Emma_m

Emma_m

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 18 January 2008 - 06:39 PM

My turn complete....

Here are the logs as requested:

ComboFix 08-01-18.5 - Murray Family 2008-01-19 10:27:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.583 [GMT 11:00]
Running from: C:\Documents and Settings\Murray Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Murray Family\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\drivers\oreans32.sys
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\tmp0ED6D.FOT
C:\WINDOWS\system32\tmp2EA6D.FOT
C:\WINDOWS\system32\tmp36D6D.FOT
C:\WINDOWS\system32\tmpACE6D.FOT
C:\WINDOWS\system32\tmpD4E6D.FOT
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dfa492afcb4802658a943e4f03902106
C:\dfa492afcb4802658a943e4f03902106\mrt.exe._p
C:\dfa492afcb4802658a943e4f03902106\mrtstub.exe
C:\Program Files\UltimateBuddy
C:\Program Files\UltimateBuddy\LocalWeb\bg-popup.gif
C:\Program Files\UltimateBuddy\LocalWeb\buddy-popup.html
C:\Program Files\UltimateBuddy\LocalWeb\popup-ub-logo.gif
C:\Program Files\UltimateBuddy\RteMenu.dll
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\drivers\oreans32.sys
C:\WINDOWS\system32\tmp0ED6D.FOT
C:\WINDOWS\system32\tmp2EA6D.FOT
C:\WINDOWS\system32\tmp36D6D.FOT
C:\WINDOWS\system32\tmpACE6D.FOT
C:\WINDOWS\system32\tmpD4E6D.FOT

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_OREANS32
-------\LEGACY_SETUPNTGLM7X
-------\oreans32
-------\SetupNTGLM7X


((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-19 08:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 10:48 . 2008-01-18 10:48 3,858 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 22:21 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-17 22:21 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-17 22:21 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-15 17:43 . 2008-01-17 22:10 <DIR> d-------- C:\Program Files\MSN Games
2008-01-15 17:43 . 2008-01-15 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Oberon
2008-01-13 10:56 . 2008-01-13 10:56 <DIR> d-------- C:\Documents and Settings\Murray Family\Application Data\PlayFirst
2008-01-13 10:56 . 2008-01-13 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-12 17:12 . 2008-01-12 17:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 17:12 . 2008-01-12 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-03 16:06 . 2008-01-12 18:56 <DIR> d-------- C:\Program Files\Fomine LAN Chat
2007-12-20 20:09 . 2008-01-17 18:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 23:31 --------- d-----w C:\Program Files\lg_fwupdate
2008-01-18 23:20 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\uTorrent
2008-01-18 22:02 --------- d-----w C:\Program Files\Plaxo
2008-01-17 23:59 --------- d-----w C:\Program Files\Trend Micro
2008-01-17 11:21 --------- d-----w C:\Program Files\Internode
2008-01-17 11:21 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\Internode
2008-01-17 11:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-17 03:43 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\dvdcss
2008-01-16 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-20 08:35 --------- d-----w C:\Program Files\CardPlayer Poker
2007-12-09 01:42 --------- d-----w C:\Documents and Settings\Murray Family\Application Data\Skype
2007-11-21 02:51 --------- d-----w C:\Program Files\PFConfig
2004-10-01 04:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_ 9.05.10.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 21:57:53 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 23:27:02 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 21:57:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 23:27:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 21:57:53 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 23:27:02 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 21:57:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 23:27:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 21:57:53 8,544,256 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-18 23:27:03 8,548,352 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-18 21:57:53 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 23:27:03 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InternodeUsage"="C:\PROGRA~1\INTERN~2\mum.exe" [2008-01-17 22:21 1333760]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-11 06:52 249856]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 17:53 73840]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 00:30 488712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 20:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 20:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 20:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2006-04-20 19:07 385024]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 13:06 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-08 12:36 249856]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 18:59 16206848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-04-24 18:20 1448960 C:\WINDOWS\SkyTel.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 18:09 200704]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 17:53 73840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-12-16 18:25 1393928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 18:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2007-03-22 15:16:35]
LAN Chat.lnk - C:\Program Files\Fomine LAN Chat\LANChat.exe [2007-10-13 22:44:04]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2005-04-29 01:47]
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2005-04-14 23:42]
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2005-04-14 23:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 07:30:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-18 23:31:39 C:\WINDOWS\Tasks\Microsoft Office Outlook 2003.job"
- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Outlook 2003.lnk
"2008-01-18 22:49:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{7AB43523-0979-4E51-9961-7AA07650A6B7}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 10:31:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 10:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 23:34:54
ComboFix2.txt 2008-01-18 22:05:41
.
2008-01-17 11:27:02 --- E O F ---
--------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:40 AM, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\JMRaidTool.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: LAN Chat.lnk = C:\Program Files\Fomine LAN Chat\LANChat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166932314968
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.extrafilm...geUploader3.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://msnau.oberon-...pt.1.0.0.21.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.co...upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DC41085-78D3-4199-B592-1D9A3127A34A}: NameServer = 192.231.203.132,192.231.203.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{5DC41085-78D3-4199-B592-1D9A3127A34A}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://mysite.verizo...1j5/snowing.gif

--
End of file - 8309 bytes

----------------------------------------------------------------------------------------------------------------

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2806 (20080118)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=7861f2b9f64c8d4d84be7185a12ed8d9
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-19 12:21:14
# local_time=2008-01-19 11:21:14 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 2
# scanned=268206
# found=2
# scan_time=2444
C:\Documents and Settings\Murray Family\Application Data\Sun\Java\Deployment\cache\6.0\24\4ad444d8-22d97128 Java/TrojanDownloader.OpenStream.NAB trojan CEC0DD504B18CCC2D97A22CECE9C96E7
C:\Documents and Settings\Murray Family\Application Data\Sun\Java\Deployment\cache\6.0\24\4ad444d8-22d97128 »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAB trojan 00000000000000000000000000000000


Back to you.... :)

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 January 2008 - 07:16 PM

A. Your Java is out of date and your Java cache is infected. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • In the pull down menu next to Platform select Windows
  • Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.


B. Now, please tell me how your system is running. If all is well, we will proceed with the final cleanup procedures.


ping- PONG
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 Emma_m

Emma_m

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 18 January 2008 - 10:23 PM

Hi, All old Java removed and new Java Installed. I didn't have any errors when I rebooted the computer and so far seems to be running fine. No popups yet either.... *fingers crossed* Over to you.... ;)

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 January 2008 - 10:34 PM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image



The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 Emma_m

Emma_m

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 19 January 2008 - 12:43 AM

Thanks for all your help. I have downloaded WinPatrol and Sypbot.

There is one thing before we finish. We have another computer on our home network and I was to make sure it isn't infected. This is the hijackthis log for that computer:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:46 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coastalwatch.com/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: LAN Chat.lnk = C:\Program Files\Fomine LAN Chat\LANChat.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?8687de58e01742e0818332307db53cfa
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?8687de58e01742e0818332307db53cfa
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Andrew.WORKPC\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176807423453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187958693312
O17 - HKLM\System\CCS\Services\Tcpip\..\{402DEDFE-0E72-463D-958B-83DBE101F112}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: chkctrl - C:\WINDOWS\SYSTEM32\chkctrl.dll
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: ColdFusion MX Application Server - Unknown owner - C:\CFusionMX\runtime\bin\jrunsvc.exe (file missing)
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe (file missing)
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe (file missing)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - http://strm-gallery....00771682835.jpg

--
End of file - 9176 bytes

Good news I hope!

Emma

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 19 January 2008 - 11:04 AM

Sorry Emma. We only treat one system per topic. You will have to open another topic in the malware forum for the other computer. If you really want me to help with it, under the Topic title, write For Trevuren and it is usually left for me. Sorry, but rules are rules.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 19 January 2008 - 11:04 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users