Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] I infected my computer, someone bail me out.

Started by rls66 , Jan 27 2008 11:53 AM

  • This topic is locked This topic is locked
7 replies to this topic

#1 rls66

rls66

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 27 January 2008 - 11:53 AM

Hi, Thanks in advance. I downloaded p2p software (I know) and subsequently infected my computer multiple times, I have done all I can at this point (p2p software is gone, updated my antiviris and anti-spyware software, tinkered with my startup programs) and still popups, not to mention trojans found by my antiviris software on a daily basis. Here is my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:48 AM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {5AAF23D8-4489-43D8-A064-319D1254ABCA} - C:\WINDOWS\system32\xxywuur.dll
O2 - BHO: (no name) - {FDF1CDBF-3968-43E6-B628-1861E1104DF6} - C:\WINDOWS\system32\jkhff.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [44a77496] rundll32.exe "C:\WINDOWS\system32\wbhlsfdc.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe
O4 - Startup: Organize.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189902715406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189902703218
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: xxywuur - C:\WINDOWS\SYSTEM32\xxywuur.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6244 bytes

    Advertisements

Register to Remove

#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 12:08 PM

Hello rls66 and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


Delete any existing version of ComboFix you have sitting on your desktop

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net
--------------------------------------------------------------------
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****


Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 rls66

rls66

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 27 January 2008 - 02:02 PM

Great, thanks for the quick reply, here is the Cobofix Log...

____________________
ComboFix 08-01-23.1C - Owner 2008-01-27 13:30:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.178 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\taskkill.exe
C:\WINDOWS\system32\winlogo.exe
C:\WINDOWS\system32\xxywuur.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 13:42 . 2008-01-27 13:42 <DIR> d-------- C:\temp\tn3
2008-01-27 13:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 11:01 . 2008-01-25 11:01 5,727 --a------ C:\WINDOWS\system32\aucgvgtp.dll
2008-01-24 14:59 . 2008-01-24 14:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-24 14:57 . 2008-01-24 14:57 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-24 14:53 . 2008-01-24 14:53 <DIR> d-------- C:\Program Files\PopupPopper
2008-01-24 14:53 . 2002-02-15 15:02 1,326,080 --a------ C:\WINDOWS\system32\vcl60.bpl
2008-01-24 14:53 . 2002-02-15 15:02 676,352 --a------ C:\WINDOWS\system32\rtl60.bpl
2008-01-24 14:53 . 2001-05-21 23:00 213,504 --a------ C:\WINDOWS\system32\vclx60.bpl
2008-01-24 13:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-24 11:01 . 2008-01-24 11:01 6,645 --a------ C:\WINDOWS\system32\uirjwnsv.dll
2008-01-24 09:07 . 2008-01-27 13:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-24 09:07 . 2008-01-24 09:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 10:59 . 2008-01-23 10:59 6,645 --a------ C:\WINDOWS\system32\bqstiknx.dll
2008-01-22 10:58 . 2008-01-22 10:58 6,645 --a------ C:\WINDOWS\system32\plytqxmp.dll
2008-01-22 09:48 . 2007-09-11 11:55 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-22 09:48 . 2007-09-11 11:55 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-22 09:42 . 2008-01-27 11:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 13:18 . 2007-09-11 11:55 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-21 10:59 . 2008-01-21 19:09 1,087,371 ---hs---- C:\WINDOWS\system32\cdfslhbw.ini
2008-01-21 10:41 . 2008-01-21 21:53 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-01-20 21:50 . 2008-01-20 21:50 161 --a------ C:\temp292625.bat
2008-01-20 21:50 . 2008-01-20 21:50 161 --a------ C:\temp268312.bat
2008-01-20 21:48 . 2008-01-20 21:48 253 --a------ C:\WINDOWS\system32\1171.bat
2008-01-20 14:56 . 2008-01-20 14:56 162 --a------ C:\temp1747328.bat
2008-01-20 14:52 . 2008-01-20 14:52 160 --a------ C:\temp1509984.bat
2008-01-20 14:40 . 2008-01-20 14:40 161 --a------ C:\temp778671.bat
2008-01-20 14:37 . 2008-01-20 14:37 161 --a------ C:\temp579203.bat
2008-01-20 14:26 . 2008-01-20 21:40 <DIR> d-------- C:\WINDOWS\system32\winzs6
2008-01-20 14:26 . 2008-01-20 21:40 <DIR> d-------- C:\WINDOWS\system32\nui4
2008-01-20 14:26 . 2008-01-20 14:26 <DIR> d-------- C:\WINDOWS\system32\extz1
2008-01-20 14:26 . 2008-01-24 17:31 <DIR> d-------- C:\WINDOWS\system32\dob3
2008-01-20 14:26 . 2008-01-20 14:28 <DIR> d-------- C:\WINDOWS\system32\comz7
2008-01-20 14:26 . 2008-01-20 14:26 <DIR> d-------- C:\temp\gTiis19
2008-01-20 14:26 . 2008-01-20 14:26 86,016 --a------ C:\WINDOWS\system32\drivers\mcdd.sys
2008-01-20 14:26 . 2008-01-20 14:26 27,004 --a------ C:\WINDOWS\system32\min.exe
2008-01-20 14:26 . 2008-01-27 13:42 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-20 14:26 . 2008-01-20 14:26 253 --a------ C:\WINDOWS\system32\4434.bat
2008-01-20 14:25 . 2008-01-20 14:25 <DIR> d-------- C:\WINDOWS\system32\nGpxx07
2008-01-20 14:25 . 2008-01-20 14:25 <DIR> d-------- C:\temp\cXzz9
2008-01-20 14:25 . 2008-01-20 14:25 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-20 14:23 . 2008-01-20 14:23 4,720 --a------ C:\WINDOWS\system32\ide21201.vxd
2008-01-20 14:23 . 2008-01-20 21:50 1,201 --a------ C:\WINDOWS\2b31038d97b5ca91fa13ffd9f93133fb.ini
2008-01-20 11:46 . 2008-01-20 14:04 <DIR> d-------- C:\Program Files\Sims2
2008-01-20 09:25 . 2008-01-20 09:26 <DIR> d-------- C:\Program Files\Roller Coaster Tycoon 2
2008-01-17 18:05 . 2008-01-20 11:54 <DIR> dr------- C:\Program Files\Tycoon Games
2008-01-17 09:00 . 2008-01-19 15:08 <DIR> d-------- C:\Program Files\Zoo Tycoon
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 19:43 --------- d-----w C:\Program Files\Ares
2008-01-26 16:22 3,884 ----a-w C:\WINDOWS\viassary-hp.reg
2008-01-23 16:18 --------- d-----w C:\Program Files\iTunes
2008-01-23 16:18 --------- d-----w C:\Program Files\iPod
2008-01-23 16:13 --------- d-----w C:\Program Files\QuickTime
2008-01-22 15:27 --------- d-----w C:\Program Files\Lavasoft
2008-01-22 01:36 --------- d-----w C:\Program Files\Java
2008-01-20 21:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 21:06 --------- d-----w C:\Program Files\interMute
2008-01-20 20:58 --------- d-----w C:\Program Files\LimeWire
2008-01-20 20:22 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-17 00:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-17 00:29 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-17 00:29 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-17 00:29 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 10:24 1694208]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 03:34 32768]
"ares"="C:\Program Files\Ares\Ares.exe" [2005-02-22 20:52 1202176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-12-16 18:29 1393928]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"44a77496"="C:\WINDOWS\system32\wbhlsfdc.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-11-29 20:36:41 49254]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 14:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 06:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-01-20 21:59:55 16384]

R1 mcdd;mcdd;C:\WINDOWS\system32\drivers\mcdd.sys [2008-01-20 14:26]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 15:50:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 19:45:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-27 19:50:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{90E8AAE0-A15F-4E38-8DD9-A3549D810920}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 13:42:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 13:53:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 19:53:25
.
2008-01-25 09:02:14 --- E O F ---
_______________________________________

And here is the new HijackThis log...

__________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:37 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [44a77496] rundll32.exe "C:\WINDOWS\system32\wbhlsfdc.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe
O4 - Startup: Organize.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189902715406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189902703218
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5840 bytes
_________________________

Thanks again

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 02:32 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\aucgvgtp.dll
C:\WINDOWS\system32\uirjwnsv.dll
C:\WINDOWS\system32\bqstiknx.dll
C:\WINDOWS\system32\plytqxmp.dll
C:\WINDOWS\system32\cdfslhbw.ini
C:\temp292625.bat
C:\temp268312.bat
C:\WINDOWS\system32\1171.bat
C:\temp1747328.bat
C:\temp1509984.bat
C:\temp778671.bat
C:\temp579203.bat
C:\WINDOWS\system32\drivers\mcdd.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\4434.bat
C:\WINDOWS\viassary-hp.reg
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\ide21201.vxd
C:\WINDOWS\2b31038d97b5ca91fa13ffd9f93133fb.ini

Folder::
C:\temp\tn3
C:\WINDOWS\system32\winzs6
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\dob3
C:\WINDOWS\system32\comz7
C:\temp\gTiis19
C:\WINDOWS\system32\nGpxx07
C:\temp\cXzz9

Driver::
mcdd

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"44a77496"=-
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 rls66

rls66

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 27 January 2008 - 04:22 PM

Alright here are the new logs
________________________

ComboFix 08-01-23.1C - Owner 2008-01-27 15:51:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.161 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\temp1509984.bat
C:\temp1747328.bat
C:\temp268312.bat
C:\temp292625.bat
C:\temp579203.bat
C:\temp778671.bat
C:\WINDOWS\2b31038d97b5ca91fa13ffd9f93133fb.ini
C:\WINDOWS\system32\1171.bat
C:\WINDOWS\system32\4434.bat
C:\WINDOWS\system32\aucgvgtp.dll
C:\WINDOWS\system32\bqstiknx.dll
C:\WINDOWS\system32\cdfslhbw.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\mcdd.sys
C:\WINDOWS\system32\ide21201.vxd
C:\WINDOWS\system32\plytqxmp.dll
C:\WINDOWS\system32\uirjwnsv.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\viassary-hp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\cXzz9
C:\temp\gTiis19
C:\temp\gTiis19\lTig.log
C:\temp\tn3
C:\temp1509984.bat
C:\temp1747328.bat
C:\temp268312.bat
C:\temp292625.bat
C:\temp579203.bat
C:\temp778671.bat
C:\WINDOWS\2b31038d97b5ca91fa13ffd9f93133fb.ini
C:\WINDOWS\system32\1171.bat
C:\WINDOWS\system32\4434.bat
C:\WINDOWS\system32\aucgvgtp.dll
C:\WINDOWS\system32\bqstiknx.dll
C:\WINDOWS\system32\cdfslhbw.ini
C:\WINDOWS\system32\comz7
C:\WINDOWS\system32\dob3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\mcdd.sys
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\extz1\lovstadcom2.exe
C:\WINDOWS\system32\ide21201.vxd
C:\WINDOWS\system32\nGpxx07
C:\WINDOWS\system32\nGpxx07\nGpxx071084.exe
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\plytqxmp.dll
C:\WINDOWS\system32\uirjwnsv.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\winzs6
C:\WINDOWS\viassary-hp.reg
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MCDD
-------\mcdd


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 13:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 14:59 . 2008-01-24 14:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-24 14:57 . 2008-01-24 14:57 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-24 14:53 . 2008-01-24 14:53 <DIR> d-------- C:\Program Files\PopupPopper
2008-01-24 14:53 . 2002-02-15 15:02 1,326,080 --a------ C:\WINDOWS\system32\vcl60.bpl
2008-01-24 14:53 . 2002-02-15 15:02 676,352 --a------ C:\WINDOWS\system32\rtl60.bpl
2008-01-24 14:53 . 2001-05-21 23:00 213,504 --a------ C:\WINDOWS\system32\vclx60.bpl
2008-01-24 13:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-24 09:07 . 2008-01-27 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-24 09:07 . 2008-01-24 09:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 09:48 . 2007-09-11 11:55 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-22 09:48 . 2007-09-11 11:55 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-22 09:42 . 2008-01-27 11:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 13:18 . 2007-09-11 11:55 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-21 10:41 . 2008-01-21 21:53 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-01-20 14:26 . 2008-01-20 14:26 27,004 --a------ C:\WINDOWS\system32\min.exe
2008-01-20 11:46 . 2008-01-20 14:04 <DIR> d-------- C:\Program Files\Sims2
2008-01-20 09:25 . 2008-01-20 09:26 <DIR> d-------- C:\Program Files\Roller Coaster Tycoon 2
2008-01-17 18:05 . 2008-01-20 11:54 <DIR> dr------- C:\Program Files\Tycoon Games
2008-01-17 09:00 . 2008-01-19 15:08 <DIR> d-------- C:\Program Files\Zoo Tycoon
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 22:02 3,651 ----a-w C:\WINDOWS\viassary-hp.reg
2008-01-27 19:43 --------- d-----w C:\Program Files\Ares
2008-01-23 16:18 --------- d-----w C:\Program Files\iTunes
2008-01-23 16:18 --------- d-----w C:\Program Files\iPod
2008-01-23 16:13 --------- d-----w C:\Program Files\QuickTime
2008-01-22 15:27 --------- d-----w C:\Program Files\Lavasoft
2008-01-22 01:36 --------- d-----w C:\Program Files\Java
2008-01-20 21:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 21:06 --------- d-----w C:\Program Files\interMute
2008-01-20 20:58 --------- d-----w C:\Program Files\LimeWire
2008-01-20 20:22 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-17 00:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-17 00:29 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-17 00:29 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-17 00:29 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_13.53.11.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 19:30:08 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 21:51:36 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 19:30:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 21:51:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 19:30:08 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 21:51:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 19:30:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 21:51:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 19:30:09 3,043,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 21:51:37 3,043,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-27 19:30:09 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 21:51:37 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 10:24 1694208]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 03:34 32768]
"ares"="C:\Program Files\Ares\Ares.exe" [2005-02-22 20:52 1202176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-12-16 18:29 1393928]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-11-29 20:36:41 49254]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 14:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 06:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-01-20 21:59:55 16384]


.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 15:50:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 22:04:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-27 22:15:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{90E8AAE0-A15F-4E38-8DD9-A3549D810920}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 16:03:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 16:16:26 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-27 22:16:23
ComboFix2.txt 2008-01-27 19:53:29
.
2008-01-25 09:02:14 --- E O F ---
_____________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:00 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe
O4 - Startup: Organize.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189902715406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189902703218
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5853 bytes
______________________________________________


thanks so much

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 07:19 PM

I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.


In addition, please tell me how your system is now running.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 02 February 2008 - 09:17 AM

I hope you are well and not experiencing any difficulties carrying out my last set of instructions. If you are, do not hesitate to ask for further explanations. If however, your problem has been solved or you no longer require our assistance, please advise us accordingly and we will archive your topic.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 08 February 2008 - 10:01 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·