1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Computer infected, help!

Discussion in 'Malware and Virus Removal Archive' started by MarkyMark, 2008/08/16.

  1. 2008/08/16
    MarkyMark

    MarkyMark Inactive Thread Starter

    Joined:
    2008/08/16
    Messages:
    2
    Likes Received:
    0
    Ok heres a dss log, this thing has aids!

    Deckard's System Scanner v20071014.68
    Run by Metal88 on 2008-08-16 15:46:03
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    43: 2008-08-16 22:46:21 UTC - RP154 - Deckard's System Scanner Restore Point
    42: 2008-08-16 21:03:27 UTC - RP153 - Removed Bonjour
    41: 2008-08-15 04:39:58 UTC - RP152 - System Checkpoint
    40: 2008-08-14 04:36:55 UTC - RP151 - System Checkpoint
    39: 2008-08-13 02:04:30 UTC - RP150 - Software Distribution Service 3.0


    -- First Restore Point --
    1: 2008-05-28 05:52:20 UTC - RP112 - Software Distribution Service 3.0


    Backed up registry hives.
    Performed disk cleanup.

    Total Physical Memory: 383 MiB (512 MiB recommended).


    -- HijackThis (run as Metal88.exe) ---------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:47:36 PM, on 8/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Applications\iebtm.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Applications\wcm.exe
    C:\Program Files\Applications\wcs.exe
    C:\Program Files\Applications\iebtmm.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
    C:\Documents and Settings\Metal88\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Metal88.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {205d445a-7b9b-4a3e-b60a-fe1d2313fa8c} - (no file)
    O2 - BHO: (no name) - {300CF5C9-F02D-4CB8-ABED-9C229DA56825} - C:\Program Files\Applications\iebt.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: 857060 helper - {6CCBAFC1-5285-494F-93F1-6894C87A9C43} - C:\WINDOWS\system32\857060\857060.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: {943264eb-4212-b0db-ebe4-c611eb14282e} - {e28241be-116c-4ebe-bd0b-2124be462349} - C:\WINDOWS\system32\tmpE3DC.tmp.dll
    O2 - BHO: SpyWarningBHO Class - {F58FF278-2198-403b-9170-C95022A194C6} - C:\Program Files\ASpyC\SpyWarning.dll (file missing)
    O3 - Toolbar: Internet Service - {254B87BB-510D-41FA-A887-52C5FA9BE585} - C:\Program Files\Applications\iebr.dll
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
    O4 - HKCU\..\Run: [ASpyC] "C:\Program Files\ASpyC\ASpyC.exe "
    O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe
    O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
    O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerfiles.com/redirect.php (file missing)
    O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerfiles.com/redirect.php (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: c:\windows\system32\qomlmll.dll
    O20 - Winlogon Notify: asflin - asflin.dll (file missing)
    O20 - Winlogon Notify: ieudapi - ieudapi.dll (file missing)
    O22 - SharedTaskScheduler: bebization - {97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} - C:\WINDOWS\system32\ouhzw.dll
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 7577 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    All drivers whitelisted.


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: Creative SBLive! Gameport
    Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_07\4&2B96F39&0&59F0
    Manufacturer: Creative
    Name: Creative SBLive! Gameport
    PNP Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_07\4&2B96F39&0&59F0
    Service: gameenum

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&15F50029&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&15F50029&0
    Service: i8042prt

    Class GUID:
    Description: psc 1300 series
    Device ID: USB\VID_03F0&PID_3B11&MI_00\6&3246C904&4&0000
    Manufacturer:
    Name: psc 1300 series
    PNP Device ID: USB\VID_03F0&PID_3B11&MI_00\6&3246C904&4&0000
    Service:


    -- Scheduled Tasks -------------------------------------------------------------

    2008-08-16 15:00:00 270 --ah----- C:\WINDOWS\Tasks\A083D9009184585C.job
    2008-08-15 03:00:00 492 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job


    -- Files created between 2008-07-16 and 2008-08-16 -----------------------------

    2008-08-16 15:35:43 0 d-------- C:\Program Files\Trend Micro
    2008-08-16 13:45:15 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-16 13:45:11 0 d-------- C:\WINDOWS\system32\857060
    2008-08-16 13:45:10 30208 --a------ C:\WINDOWS\system32\ubpr01.exe
    2008-08-16 13:44:53 0 d-------- C:\Program Files\Applications
    2008-08-13 00:42:44 0 d-------- C:\Documents and Settings\Metal88\Application Data\DivX
    2008-07-19 21:49:56 0 d-------- C:\Program Files\MSXML 6.0


    -- Find3M Report ---------------------------------------------------------------

    2008-08-12 21:50:39 13312 --a-s---- C:\WINDOWS\system32\ouhzw.dll
    2008-08-12 19:10:43 0 d-------- C:\Program Files\Messenger
    2008-08-12 11:51:28 0 d-------- C:\Program Files\Lx_cats
    2008-07-19 22:11:25 0 d-------- C:\Program Files\Yahoo!
    2008-07-13 09:29:29 0 d-------- C:\Program Files\Advanced Registry Optimizer
    2008-07-13 09:29:29 0 d-------- C:\Documents and Settings\Metal88\Application Data\Sammsoft
    2008-07-11 23:12:51 0 d-------- C:\Documents and Settings\Metal88\Application Data\U3


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{205d445a-7b9b-4a3e-b60a-fe1d2313fa8c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}]
    08/16/2008 03:40 PM 8192 --a------ C:\Program Files\Applications\iebt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CCBAFC1-5285-494F-93F1-6894C87A9C43}]
    08/16/2008 01:45 PM 17920 --a------ C:\WINDOWS\system32\857060\857060.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e28241be-116c-4ebe-bd0b-2124be462349}]
    12/18/2007 07:50 PM 64512 --a------ C:\WINDOWS\system32\tmpE3DC.tmp.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F58FF278-2198-403b-9170-C95022A194C6}]
    C:\Program Files\ASpyC\SpyWarning.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{254B87BB-510D-41FA-A887-52C5FA9BE585} "= C:\Program Files\Applications\iebr.dll [08/16/2008 01:44 PM 87040]

    [-HKEY_CLASSES_ROOT\CLSID\{254B87BB-510D-41FA-A887-52C5FA9BE585}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -u" []
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/28/2008 10:46 PM]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
    "LXCFCATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [07/20/2005 10:47 AM]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 06:07 PM]
    "Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
    "AROReminder "= "C:\Program Files\Advanced Registry Optimizer\ARO.exe" [07/30/2007 02:06 PM]
    "ASpyC "= "C:\Program Files\ASpyC\ASpyC.exe" []
    "wblogon "= "C:\WINDOWS\system32\ubpr01.exe" [08/16/2008 01:45 PM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "smile "=C:\Program Files\Applications\wcs.exe
    "start "=C:\Program Files\Applications\iebtm.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} "= C:\WINDOWS\system32\ouhzw.dll [08/12/2008 09:50 PM 13312]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\asflin]
    asflin.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ieudapi]
    ieudapi.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=c:\windows\system32\qomlmll.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
    dxdllreg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
    "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
    C:\Program Files\SpywareBot\SpywareBot.exe -boot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winehq.org]
    rundll32.exe "C:\WINDOWS\hgdaxw.dll ",realset


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{547daf35-187f-11dc-99eb-00045a474572}]
    AutoRun\command- F:\LaunchU3.exe -a




    -- Hosts -----------------------------------------------------------------------

    127.0.0.1 bin.errorprotector.com ## added by CiD
    127.0.0.1 br.errorsafe.com ## added by CiD
    127.0.0.1 br.winantivirus.com ## added by CiD
    127.0.0.1 br.winfixer.com ## added by CiD
    127.0.0.1 cdn.drivecleaner.com ## added by CiD
    127.0.0.1 cdn.errorsafe.com ## added by CiD
    127.0.0.1 cdn.winsoftware.com ## added by CiD
    127.0.0.1 de.errorsafe.com ## added by CiD
    127.0.0.1 de.winantivirus.com ## added by CiD
    127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

    71 more entries in hosts file.


    -- End of Deckard's System Scanner: finished at 2008-08-16 15:48:31 ------------
     
    MarkyMark,
    #1
  2. 2008/08/16
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi MarkyMark
    Welcome to Windowsbbs.

    OK lets start off this way. Please do all instructions in the order give.

    Download the HostsXpert 3.7 - Hosts File Manager.
    • Unzip HostsXpert - Hosts File Manager to a convenient folder such as C:\HostsXpert
    • Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
    • Click "Make Hosts Writable?" in the upper right corner (If available).
    • Click Backup / Restore then Create Backup
    • Click Restore Microsoft's Hosts file and then click OK.
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    Now this.

    Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

    Double click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select 'Perform Quick Scan', then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Post the entire report in your next reply along with a fresh HijackThis log.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Now this.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post the Combofix log
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the MBAM log the Combofix log and a new HJT log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/08/17
    MarkyMark

    MarkyMark Inactive Thread Starter

    Joined:
    2008/08/16
    Messages:
    2
    Likes Received:
    0
    Ok heres the logs for all three
    ComboFix 08-08-17.01 - Metal88 2008-08-17 15:13:55.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.163 [GMT -7:00]
    Running from: C:\Documents and Settings\Metal88\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Metal88\Application Data\macromedia\Flash Player\#SharedObjects\PRPG97TK\interclick.com
    C:\Documents and Settings\Metal88\Application Data\macromedia\Flash Player\#SharedObjects\PRPG97TK\interclick.com\ud.sol
    C:\Documents and Settings\Metal88\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\Metal88\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Documents and Settings\Metal88\Cookies\metal88@adtrgt[2].txt
    C:\Documents and Settings\Metal88\UserData
    C:\Documents and Settings\Metal88\UserData\index.dat
    C:\Documents and Settings\Metal88\UserData\IREX4VGV\YL[1].xml
    C:\Program Files\winupdates
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\system32\tmp1E.tmp.dll
    C:\WINDOWS\system32\tmp2.tmp.dll
    C:\WINDOWS\system32\tmp29.tmp.dll
    C:\WINDOWS\system32\tmpE3DC.tmp.dll
    C:\WINDOWS\system32\winticomsv32.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CORE


    ((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
    .

    2008-08-17 14:12 . 2008-08-17 14:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-17 14:12 . 2008-08-17 14:12 <DIR> d-------- C:\Documents and Settings\Metal88\Application Data\Malwarebytes
    2008-08-17 14:12 . 2008-08-17 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-17 14:12 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-17 14:12 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-17 14:09 . 2008-08-17 14:10 <DIR> d-------- C:\Hosts Expert
    2008-08-16 22:40 . 2008-08-17 15:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-08-16 22:40 . 2008-08-16 22:40 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-08-16 22:16 . 2008-08-16 22:16 <DIR> d-------- C:\Program Files\Bonjour
    2008-08-16 22:15 . 2008-08-16 22:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-16 22:15 . 2008-08-16 22:15 <DIR> d-------- C:\Program Files\HTMLCompiler
    2008-08-16 22:15 . 2008-08-16 22:15 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
    2008-08-16 16:32 . 2008-08-16 22:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy(2)
    2008-08-16 15:45 . 2008-08-16 15:45 <DIR> d-------- C:\Deckard
    2008-08-16 15:35 . 2008-08-16 15:35 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-19 21:56 . 2008-08-17 00:24 1,374 --a------ C:\WINDOWS\imsins.BAK
    2008-07-19 21:49 . 2008-07-19 21:49 <DIR> d-------- C:\Program Files\MSXML 6.0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-17 07:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-08-17 05:40 --------- d-----w C:\Program Files\Lx_cats
    2008-08-17 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-20 05:11 --------- d-----w C:\Program Files\Yahoo!
    2008-07-13 16:29 --------- d-----w C:\Documents and Settings\Metal88\Application Data\Sammsoft
    2008-07-12 06:12 --------- d-----w C:\Documents and Settings\Metal88\Application Data\U3
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-02-21 20:04 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
    "Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
    "AROReminder "= "C:\Program Files\Advanced Registry Optimizer\ARO.exe" [2007-07-30 14:06 2081280]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-28 22:46 185896]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
    "LXCFCATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 10:47 73728]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=c:\windows\system32\qomlmll.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "= ctwdm32.dll
    "aux1 "= ctwdm32.dll
    "aux2 "= ctwdm32.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-03 18:07 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\LimeWire\\LimeWire.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\WINDOWS\\system32\\lxcfcoms.exe "=
    "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP "= 135:TCP:TCP Port 135
    "5000:TCP "= 5000:TCP:TCP Port 5000
    "5001:TCP "= 5001:TCP:TCP Port 5001
    "5002:TCP "= 5002:TCP:TCP Port 5002
    "5003:TCP "= 5003:TCP:TCP Port 5003
    "5004:TCP "= 5004:TCP:TCP Port 5004
    "5005:TCP "= 5005:TCP:TCP Port 5005
    "5006:TCP "= 5006:TCP:TCP Port 5006
    "5007:TCP "= 5007:TCP:TCP Port 5007
    "5008:TCP "= 5008:TCP:TCP Port 5008
    "5009:TCP "= 5009:TCP:TCP Port 5009
    "5010:TCP "= 5010:TCP:TCP Port 5010
    "5011:TCP "= 5011:TCP:TCP Port 5011
    "5012:TCP "= 5012:TCP:TCP Port 5012
    "5013:TCP "= 5013:TCP:TCP Port 5013
    "5014:TCP "= 5014:TCP:TCP Port 5014
    "5015:TCP "= 5015:TCP:TCP Port 5015
    "5016:TCP "= 5016:TCP:TCP Port 5016
    "5017:TCP "= 5017:TCP:TCP Port 5017
    "5018:TCP "= 5018:TCP:TCP Port 5018
    "5019:TCP "= 5019:TCP:TCP Port 5019
    "5020:TCP "= 5020:TCP:TCP Port 5020

    S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 15:31]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{547daf35-187f-11dc-99eb-00045a474572}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-17 C:\WINDOWS\Tasks\A083D9009184585C.job
    - c:\docume~1\metal88\applic~1\freena~1\remotegridhtm.exe []
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-asflin - asflin.dll
    Notify-ieudapi - ieudapi.dll
    MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    MSConfigStartUp-HP Component Manager - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    MSConfigStartUp-HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    MSConfigStartUp-NeroFilterCheck - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    MSConfigStartUp-OneCareUI - C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    MSConfigStartUp-SpywareBot - C:\Program Files\SpywareBot\SpywareBot.exe
    MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    MSConfigStartUp-winehq - C:\WINDOWS\hgdaxw.dll
    MSConfigStartUp-DXDllRegExe - dxdllreg.exe


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Metal88\Application Data\Mozilla\Firefox\Profiles\wt8xczpx.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-17 15:18:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-17 15:23:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-17 22:23:05

    Pre-Run: 11,373,711,360 bytes free
    Post-Run: 11,331,612,672 bytes free

    178 --- E O F --- 2008-08-17 07:24:24

    ---------------------------------------------------------

    Malwarebytes' Anti-Malware 1.25
    Database version: 1062
    Windows 5.1.2600 Service Pack 2

    2:52:08 PM 8/17/2008
    mbam-log-08-17-2008 (14-52-08).txt

    Scan type: Quick Scan
    Objects scanned: 40380
    Time elapsed: 6 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 19
    Registry Values Infected: 3
    Registry Data Items Infected: 1
    Folders Infected: 11
    Files Infected: 15

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\Program Files\Mozilla Firefox\components\ffcomponent.dll (Adware.SurfAccuracy) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DFC (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DInf (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DnngCon (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\TrafficEngine (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DNIdent (Trojan.ConHook) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\SrchAstt\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\Mozilla Firefox\components\ffcomponent.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080816193722209.log (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080816205324313.log (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cmd.com (Worm.Alcra) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ping.com (Worm.Alcra) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tasklist.com (Worm.Alcra) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tracert.com (Worm.Alcra) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ClickToFindandFixErrors_Intl.ico (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Metal88\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Metal88\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Metal88\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Metal88\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.


    --------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:06:08 PM, on 8/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\cleanmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: c:\windows\system32\qomlmll.dll
    O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 3943 bytes
     
    MarkyMark,
    #3
  5. 2008/08/17
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi MarkyMark
    OK Please do this.

    Follow this path and tell me what this folder is.

    C:\Documents and Settings\Metal88\Application Data\freena <<It begins with these 6 letters.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
c:\windows\system32\qomlmll.dll
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    Please post the combofix log and a new HJT log and what that folder is.

    Let me know how things are running.

    Thanks
    Geri
     
    Geri,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...