Inactive Virus redircting, can't download or run virus scan, etc.

[Inactive] Virus redircting, can't download or run virus scan, etc.

I'm having the same problem as many others here it seems. I got some evil redirct virus that sends me to strange sites like shopping sites. I can't do a system restore (freezes) or download software like Malwarebytes, Combofix, HyjackThis, etc. It won't let me run or update my anti-virus program (I use AVG), and won't even let me go to sites that offer any help (thnkfully I got into this one!). In another similar thread it was suggested that I download RootRepeal, which (thank goodness) I was able to do and run. Here's the log...

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/25 23:41
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA017000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C37000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8DC8000 Size: 45056 File Visible: No
Status: -

Name: TDSSijsb.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSijsb.sys
Address: 0xAA435000 Size: 73728 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\TDSSckvy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSedwn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSeuaq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSfhvv.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSierd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSnhvw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSurgi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSuyka.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\twain32
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\twex.exe
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS115c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS16ea.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS1a65.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS1e45.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS233d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS2853.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\TDSSijsb.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\TDSS609e.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\TDSS60a8.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\wt4F.tmp
Status: Allocation size mismatch (API: 552, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\Temp\wtDF.tmp
Status: Allocation size mismatch (API: 552, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: winlogon.exe (PID: 704) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: services.exe (PID: 752) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: lsass.exe (PID: 764) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS1a65.tmp.dll]
Process: svchost.exe (PID: 932) Address: 0x00990000 Size: 81920

Object: Hidden Module [Name: TDSSurgi.dll]
Process: svchost.exe (PID: 932) Address: 0x01410000 Size: 61440

Object: Hidden Module [Name: TDSSckvy.dll]
Process: svchost.exe (PID: 932) Address: 0x01730000 Size: 61440

Object: Hidden Module [Name: TDSSeuaq.dll]
Process: svchost.exe (PID: 932) Address: 0x017e0000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: svchost.exe (PID: 932) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: svchost.exe (PID: 1036) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: svchost.exe (PID: 1136) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: svchost.exe (PID: 1200) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: svchost.exe (PID: 1348) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: Explorer.EXE (PID: 1576) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: spoolsv.exe (PID: 1704) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: ALUSchedulerSvc.exe (PID: 896) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: avgamsvr.exe (PID: 996) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: avgupsvc.exe (PID: 1080) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: mDNSResponder.exe (PID: 1116) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: HPZipm12.exe (PID: 1296) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: PRISMXL.SYS (PID: 1460) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: svchost.exe (PID: 1768) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: wdfmgr.exe (PID: 616) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: shwiconem.exe (PID: 400) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: hkcmd.exe (PID: 420) Address: 0x003d0000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: PDVDServ.exe (PID: 436) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: alg.exe (PID: 492) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: SOUNDMAN.EXE (PID: 516) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: ALCWZRD.EXE (PID: 548) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: realsched.exe (PID: 584) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: HPWuSchd2.exe (PID: 596) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: avgcc.exe (PID: 636) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: iTunesHelper.exe (PID: 660) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: DAP.EXE (PID: 728) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: ctfmon.exe (PID: 1424) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: NMBgMonitor.exe (PID: 1644) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: Kodak Software Updater.exe (PID: 2072) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: webshots.scr (PID: 2284) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: NMIndexStoreSvr.exe (PID: 2376) Address: 0x003b0000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: iPodService.exe (PID: 2532) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS2853.tmp.dll]
Process: NMIndexingService.exe (PID: 2884) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSeuaq.dll]
Process: OUTLOOK.EXE (PID: 1960) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSeuaq.dll]
Process: Wpwin8.exe (PID: 3308) Address: 0x00db0000 Size: 126976

Object: Hidden Module [Name: TDSSeuaq.dll]
Process: firefox.exe (PID: 3580) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSeuaq.dll]
Process: RootRepeal.exe (PID: 1676) Address: 0x10000000 Size: 126976

Object: Hidden Code [ETHREAD: 0x869575c0]
Process: System Address: 0x8695f288 Size: -

Object: Hidden Code [ETHREAD: 0x86731da8]
Process: System Address: 0xaa437d66 Size: -

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSijsb.sys


Can someone help me with what to do now?
Thanks in advance!

 

Hi My2Wings
Welcome to WindowsBBS.

Do you have access to a computer that is not infected where you can download and transfer a tool using a Flash Drive or USB Thumb Drive to the infected machine?

Geri

 

Unfortunately, I don't. This is the only computer I've got.

On Edit: I just thought of something... could I have someone with a non-infected computer download whatever I need (I'm guessing ComboFix) and put it on disk for me as long as they rename the .exe file? I don't know if this evil virus will let me install anything that I need from a disk or not.

 

I was able to get ComboFix on my infected computer by having someone download it for me and put it on a cd which they gave me today (with the exe file renamed as mentioned in other threads). I'm uneasy about doing anything with it now without specific instruction, and at this point I don't know if there is something else I should be doing first before using it anyway. But I got it now and can get other tools by the same means if necessary (put on a cd for me or even emailed to me if that would work), so I'm ready for whatever I should do next.

 

Hi
OK good.

Transfer the Combofix.exe to the Desktop of infected machine. Then remove the CD.

Then run it this way from your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Post the log here.

Thanks
Geri

 

Hiya Geri!

I followed your instructions and did the ComboFix scan. Partway through a window popped up that said it detected rootkit activity and would need to reboot but to note on paper the following files before continuing, so here are the files it gave me to write down...

C:/WINDOWS/system32/drivers/TDSSijsb.sys
C:/WINDOWS/system32/TDSSedwin.dll
C:/WINDOWS/system32/TDSSierd.dat
C:/WINDOWS/system32/TDSSurgi.dll
C:/WINDOWS/system32/TDSSckvy.dll
C:/WINDOWS/system32/TDSSeuaq.dll
C:/WINDOWS/system32/TDSSnhvw.dll
C:/WINDOWS/system32/TDSSfhvv.log
C:/WINDOWS/system32/TDSSuyka.log
C:/WINDOWS/system32/TDSSnmxh.log
C:/WINDOWS/system32/TDSShphc.dll

I let it rootboot as it wanted me to, and here's the log it gave at the end...

ComboFix 09-01-21.04 - Owner 2009-01-28 1:52:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.733 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\BlondeHelp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\Install.dat
c:\program files\Internet Explorer\msimg32.dll
c:\windows\NDNuninstall7_22.exe
c:\windows\system32\drivers\TDSSijsb.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\msdtc.dll
c:\windows\system32\TDSSckvy.dll
c:\windows\system32\TDSSedwn.dll
c:\windows\system32\TDSSeuaq.dll
c:\windows\system32\TDSSfhvv.log
c:\windows\system32\TDSShphc.dll
c:\windows\system32\TDSSierd.dat
c:\windows\system32\TDSSnhvw.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSurgi.dll
c:\windows\system32\TDSSuyka.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-27 02:22 . 2009-01-27 02:22 <DIR> d-------- c:\program files\catkittymb
2009-01-27 02:04 . 2009-01-27 17:22 <DIR> d-------- C:\ComboFix
2009-01-21 06:40 . 2009-01-27 02:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 06:40 . 2009-01-21 06:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 06:40 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 06:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 20:33 . 2009-01-21 09:50 <DIR> d--hs---- c:\windows\system32\twain32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 22:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-27 22:44 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2009-01-27 22:44 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2005-11-11 05:46 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-04-01 21:51 245,760 ----a-w c:\program files\opera\program\plugins\dapop.dll
2006-12-27 18:50 66,648 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-12-27 18:50 54,352 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-27 18:50 34,928 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-12-27 18:50 46,696 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-12-27 18:50 172,120 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-29 21:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-07-29 5354792]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2007-04-24 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder "= "c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"Mixersel "= "c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-10 369664]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-13 180269]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"DownloadAccelerator "= "c:\program files\DAP\DAP.EXE" [2007-04-01 4376328]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"High Definition Audio Property Page Shortcut "= "HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan "= "SOUNDMAN.EXE" [2004-10-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd "= "ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-09-29 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe "=
"c:\\StubInstaller.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\DAP\\DAP.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\msncall.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=

.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://development.rcn.com/ie5/welcome/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZC
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 01:56:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-28 1:57:47
ComboFix-quarantined-files.txt 2009-01-28 06:57:34

Pre-Run: 130,078,773,248 bytes free
Post-Run: 134,557,941,760 bytes free

161 --- E O F --- 2009-01-19 15:02:20



Thanks so much for your help, Geri! I have to go grab some sleep now since I work tonight but will pop in when I get home after work to see if you left any info for me.

Have a great night!

 

Hi
OK looks good. First some advise.

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

Do you know what this is?

c:\program files\catkittymb

Please run rootrepeal again and post it's log

Thanks
Geri

 

Hiya Geri!

The catkittymb.exe file is the exe file to install Malwarebytes but I couldn't get it to finish installing (it would freeze right at the end) so I tried it again after renaming it like with the ComboFix, but it did the same thing (froze) when trying to install it. The Malwarebytes was the one I tried before I was able to get the ComboFix, but I was only able to download it at all from a site that the evil virus didn't recognize (and thus block me out). For that reason, I'm not even sure if it's the most current version.

Good idea about the P2P software. One of the DJ's at work told me the same thing about not using it about a year ago and I haven't used it since. I know I had Limewire but apparently I never got around to uninstalling it. I'll do that for sure once I get things fixed and running right again on my computer. Did you see any other ones besides the Limewire? I know I looked into BitTorrent a long time ago but I don't remember if I ever put it on the computer or not (I know I never used it, but if I have it, I want it gone). I don't see it on here, but maybe it could be somewhere other than my desktop that I'm not seeing.

Ok, here's the new RootRepeal log...

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/28 13:17
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\BlondeHelp\catchme.sys
Address: 0xF7999000 Size: 30592 File Visible: No
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7751000 Size: 60416 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA1DD000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BEB000 Size: 8192 File Visible: No
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7BFF000 Size: 6464 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9737000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8694fb98]
Process: System Address: 0x86957288 Size: -


Thanks for your help, Geri!

 

Hi
I did not see any signs of BitTorrent.

OK, that log looks good.

Now lets get a on line scan.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

================================================================

Delete the Malwarebytes you have. you should be able to download it now.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

I downloaded the ATF Cleaner, followed the instructions, and that went well.

I tried several times to do the Kaparsky scan next but something went wrong with this. The first attempt, after accepting, it started to download immediately as there was no "Run" prompt to click, and I got a message from Firefox that there was a problem and it needed to close. So I tried again, and this time while downloading the window just disappeared without any warning. Same thing on the third attempt. So I tried using IE as the browser, and after accepting I got a pop up message that Windows was blocking the site as it didn't recognize the provider (even though I told it to allow Kaparsky).

So I went ahead and downloaded Malwarebytes from the first link you recommended and did that scan hoping that would clear up any problem that was causing weirdness with Kaparsky. That scan went well, and here's the log...

Malwarebytes' Anti-Malware 1.33
Database version: 1707
Windows 5.1.2600 Service Pack 3

1/29/2009 4:23:27 PM
mbam-log-2009-01-29 (16-23-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 154074
Time elapsed: 39 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mixersel (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Realtek\InstallShield\mixersel.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSckvy.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSedwn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSeuaq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSurgi.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106279.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106261.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106262.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106263.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106264.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106280.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\DMUSIC32.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

--------------------------------------

MBAM didn't tell me rebooting was necessary so I didn't reboot. I tried the Kaparsky scan again, and once again, it disappeared without warning while downloading. Tried it a second time, and it disappeared almost immediately after clicking the link from here (never even had a second to accept anything... the site popped up and immediately disappeared ). Should I reboot anyway and then try Kaparsky again? Not sure what to do about that.

Thanks again, Geri!

 

Hi
OK lets try this one.

Make sure you run ATF Cleaner before doing the scan.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

 

I'm not sure the Panda scan worked exactly right because twice during the scan I got a pop-up that said there was a script that was either busy or not working and I could either continue or abort. Both times I had it continue and it did finish. Here's the report...

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-01-30 20:26:03
PROTECTIONS: 0
MALWARE: 26
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00034477 spyware/new.net Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
00040474 dialer.bew Dialers No 0 Yes No c:\windows\system32\search.html
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.atdmt.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.mediaplex.com/]
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.centrport.net/]
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.belnk.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.yadro.ru/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\sessionstore.js[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\sessionstore.js[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.ad.yieldmanager.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.burstnet.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.888.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.advertising.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.questionmarket.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.did-it.com/]
00253719 Spyware/New.net Spyware No 1 Yes No C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106283.exe
00253719 Spyware/New.net Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall7_22.exe.vir
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.atwola.com/]
00325244 Application/MyWebSearch HackTools No 0 Yes No C:\Documents and Settings\Owner\My Documents\SetupFiles\CursorManiaSetup2.1.50.3-3.exe
00444112 Bck/Tdss.C Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip[TDSSijsb.sys]
01658840 Trj/WmaDownloader.F Virus/Trojan No 0 Yes Yes C:\My Music\cold heat megamix j. rocc 34.wma
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106266.sys
03738695 Generic Malware Virus/Trojan No 0 No No C:\My Download Files\Nero(2)[Nero 8.2.8.0 Keygen Ultra Edition.exe]
03738695 Generic Malware Virus/Trojan No 0 Yes No C:\Cracks\Nero 8.2.8.0 Keygen Ultra Edition.exe
04761320 Generic Trojan Virus/Trojan No 0 Yes Yes C:\Documents and Settings\Owner\Desktop\BlondeHelp.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location K
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description K
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Thanks again, Geri!

 

Hi
First.
We do not approve of hacked, cracked or otherwise stolen programs, before you receive any further help you need to delete/remove any and all such programs. If you do not the help stops here.

C:\Cracks\Nero 8.2.8.0 Keygen Ultra Edition.exe

After removing all cracked programs post a DDS log here.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of both DDS logs.

Geri

 

Ok, I think I've gotten rid of everything that could have been stolen... I'm not the only one that used this computer so there's a lot of stuff on here that I don't know what it is or where it came from. Until I looked it up on the internet, I didn't even know what a crack was (and I still don't think I understand it). I went through everything on here and dumped anything that looked hinky... there's still a lot of stuff that I don't know what it does but figured out it's freeware or a trial version that expired. It took awhile but I think anything creepy is gone now. I don't know anything about stealing stuff, so I don't really know what to look for, so I just went through everything and dumped any programs that I couldn't figure out and could be suspicious. Once I get this computer all cleaned up I'm going to break my brother's legs since I know it had to be him that did this.


Here's the DDS logs...


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 11:54:49.10 on Sun 02/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.431 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://development.rcn.com/ie5/welcome/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: &AOL Toolbar search
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\wm56u900.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-1 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-1 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-1 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298264]
S2 navapsvc;Norton AntiVirus Auto-Protect Service; "c:\program files\norton antivirus\navapsvc.exe" --> c:\program files\norton antivirus\navapsvc.exe [?]

=============== Created Last 30 ================

2009-02-01 03:55 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-01 03:47 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-01 03:47 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-01 03:47 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-01 03:47 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-01 03:47 <DIR> --d----- c:\program files\AVG
2009-02-01 03:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-30 10:21 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-30 10:12 <DIR> --d----- c:\program files\Panda Security
2009-01-29 14:53 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-27 18:12 <DIR> --d----- C:\cmdcons
2009-01-27 17:23 161,792 a------- c:\windows\SWREG.exe
2009-01-27 17:23 98,816 a------- c:\windows\sed.exe
2009-01-27 02:22 <DIR> --d----- c:\program files\catkittymb
2009-01-27 02:04 <DIR> --d----- C:\ComboFix
2009-01-21 06:40 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 06:40 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 06:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 06:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-18 20:33 <DIR> --dsh--- c:\windows\system32\twain32

==================== Find3M ====================

2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2005-11-11 00:46 0 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-08-29 16:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 11:55:02.65 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/9/2005 8:18:58 PM
System Uptime: 1/27/2009 1:51:21 PM (118 hours ago)

Motherboard: Intel Corporation | | D915GAG
Processor: Intel(R) Pentium(R) 4 CPU 2.93GHz | | 2932/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 125.831 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 2.712 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1085: 10/23/2008 10:18:27 PM - System Checkpoint
RP1086: 10/24/2008 11:07:26 PM - System Checkpoint
RP1087: 10/25/2008 11:18:26 PM - System Checkpoint
RP1088: 10/27/2008 12:18:27 AM - System Checkpoint
RP1089: 10/28/2008 12:55:55 AM - System Checkpoint
RP1090: 10/28/2008 3:18:10 AM - Software Distribution Service 3.0
RP1091: 10/29/2008 3:48:18 AM - System Checkpoint
RP1092: 10/30/2008 5:51:46 AM - System Checkpoint
RP1093: 10/31/2008 6:48:19 AM - System Checkpoint
RP1094: 11/1/2008 7:07:45 AM - System Checkpoint
RP1095: 11/2/2008 7:06:44 AM - System Checkpoint
RP1096: 11/3/2008 9:17:39 AM - System Checkpoint
RP1097: 11/4/2008 9:19:28 AM - System Checkpoint
RP1098: 11/5/2008 10:04:58 AM - System Checkpoint
RP1099: 11/6/2008 11:04:56 AM - System Checkpoint
RP1100: 11/7/2008 12:04:55 PM - System Checkpoint
RP1101: 11/8/2008 1:30:50 PM - System Checkpoint
RP1102: 11/9/2008 2:04:55 PM - System Checkpoint
RP1103: 11/10/2008 3:04:54 PM - System Checkpoint
RP1104: 11/11/2008 5:02:12 PM - System Checkpoint
RP1105: 11/12/2008 5:04:29 PM - System Checkpoint
RP1106: 11/13/2008 8:02:04 AM - Software Distribution Service 3.0
RP1107: 11/14/2008 9:20:28 AM - System Checkpoint
RP1108: 11/15/2008 9:23:35 AM - System Checkpoint
RP1109: 11/16/2008 9:24:37 AM - System Checkpoint
RP1110: 11/17/2008 9:29:57 AM - System Checkpoint
RP1111: 11/18/2008 10:23:34 AM - System Checkpoint
RP1112: 11/19/2008 11:23:34 AM - System Checkpoint
RP1113: 11/20/2008 12:23:34 PM - System Checkpoint
RP1114: 11/21/2008 1:23:34 PM - System Checkpoint
RP1115: 11/22/2008 2:22:56 PM - System Checkpoint
RP1116: 11/23/2008 2:24:39 PM - System Checkpoint
RP1117: 11/24/2008 4:14:27 PM - System Checkpoint
RP1118: 11/25/2008 4:23:10 PM - System Checkpoint
RP1119: 11/26/2008 5:23:10 PM - System Checkpoint
RP1120: 11/27/2008 7:14:51 PM - System Checkpoint
RP1121: 11/28/2008 7:23:09 PM - System Checkpoint
RP1122: 11/29/2008 8:23:09 PM - System Checkpoint
RP1123: 11/30/2008 9:23:09 PM - System Checkpoint
RP1124: 12/1/2008 10:23:04 PM - System Checkpoint
RP1125: 12/2/2008 10:35:22 PM - System Checkpoint
RP1126: 12/3/2008 11:22:52 PM - System Checkpoint
RP1127: 12/5/2008 12:22:53 AM - System Checkpoint
RP1128: 12/6/2008 12:41:37 AM - System Checkpoint
RP1129: 12/7/2008 1:41:38 AM - System Checkpoint
RP1130: 12/8/2008 3:17:32 AM - System Checkpoint
RP1131: 12/9/2008 4:43:22 AM - System Checkpoint
RP1132: 12/10/2008 5:56:50 AM - System Checkpoint
RP1133: 12/11/2008 6:41:45 AM - System Checkpoint
RP1134: 12/12/2008 6:42:50 AM - System Checkpoint
RP1135: 12/12/2008 11:54:58 AM - Software Distribution Service 3.0
RP1136: 12/12/2008 6:24:22 PM - Software Distribution Service 3.0
RP1137: 12/13/2008 7:21:57 PM - System Checkpoint
RP1138: 12/14/2008 8:21:59 PM - System Checkpoint
RP1139: 12/15/2008 9:21:57 PM - System Checkpoint
RP1140: 12/16/2008 9:22:57 PM - System Checkpoint
RP1141: 12/17/2008 10:21:52 PM - System Checkpoint
RP1142: 12/18/2008 11:21:52 PM - System Checkpoint
RP1143: 12/20/2008 12:21:52 AM - System Checkpoint
RP1144: 12/21/2008 1:21:52 AM - System Checkpoint
RP1145: 12/22/2008 2:21:54 AM - System Checkpoint
RP1146: 12/23/2008 3:21:34 AM - System Checkpoint
RP1147: 12/24/2008 4:21:27 AM - System Checkpoint
RP1148: 12/25/2008 5:21:27 AM - System Checkpoint
RP1149: 12/26/2008 6:21:27 AM - System Checkpoint
RP1150: 12/27/2008 7:21:27 AM - System Checkpoint
RP1151: 12/28/2008 9:21:28 AM - System Checkpoint
RP1152: 12/29/2008 10:21:27 AM - System Checkpoint
RP1153: 12/30/2008 11:21:11 AM - System Checkpoint
RP1154: 12/31/2008 12:08:07 PM - System Checkpoint
RP1155: 1/1/2009 12:21:13 PM - System Checkpoint
RP1156: 1/2/2009 1:21:11 PM - System Checkpoint
RP1157: 1/3/2009 2:25:21 PM - System Checkpoint
RP1158: 1/4/2009 3:21:11 PM - System Checkpoint
RP1159: 1/5/2009 4:21:11 PM - System Checkpoint
RP1160: 1/6/2009 5:20:54 PM - System Checkpoint
RP1161: 1/7/2009 6:20:54 PM - System Checkpoint
RP1162: 1/8/2009 6:21:59 PM - System Checkpoint
RP1163: 1/9/2009 7:20:54 PM - System Checkpoint
RP1164: 1/10/2009 8:20:54 PM - System Checkpoint
RP1165: 1/11/2009 9:20:54 PM - System Checkpoint
RP1166: 1/12/2009 10:20:53 PM - System Checkpoint
RP1167: 1/13/2009 10:57:40 PM - System Checkpoint
RP1168: 1/14/2009 11:20:39 PM - System Checkpoint
RP1169: 1/16/2009 12:20:40 AM - System Checkpoint
RP1170: 1/17/2009 1:20:40 AM - System Checkpoint
RP1171: 1/18/2009 2:20:39 AM - System Checkpoint
RP1172: 1/19/2009 3:20:40 AM - System Checkpoint
RP1173: 1/19/2009 10:00:18 AM - Software Distribution Service 3.0
RP1174: 1/20/2009 10:13:05 AM - System Checkpoint
RP1175: 2/1/2009 3:47:33 AM - Installed AVG Free 8.0
RP1176: 2/1/2009 9:06:56 AM - Avg8 Update

==== Installed Programs ======================

6200
6200_Help
6200Trb
Ad-Aware SE Personal
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer 1.1
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AiO_Scan
AiOSoftware
Alohabob PC Relocator Ultra Control
AniTuner 1.1
Apple Software Update
AVG Free 8.0
Bonjour
BufferChm
CCScore
Click'N Design 3D (V5)
Copy
Corel Uninstaller
Corel WordPerfect Suite 8
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Digital Media Reader
Director
DocProc
DocumentViewer
Download Accelerator Plus (DAP)
eMusic - 100 Free MP3 offer
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Fax
Free Mp3 Wma Converter V 1.5.1
GdiplusUpgrade
Google Toolbar for Internet Explorer
Google Video Player
GraphicCorp's Browser+
GTK+ 2.8.18-1 runtime environment
High Definition Audio Driver Package - KB835221
HLPPDOCK
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
InstantShare
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Inverse IP InSight 4.2 (RCN)
Ipswitch WS_FTP LE
Ipswitch WS_FTP Pro
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 2
kgcbase
Kodak EasyShare software
KSU
LimeWire 4.12.6
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Dreamweaver 4
Macromedia Extension Manager
Macromedia Flash 5
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft XML Parser
mIRC
Mozilla Firefox (2.0.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Napster
Nero 7 Ultra Edition
Nero BurnRights
neroxml
Netscape Browser (remove only)
Notifier
OfotoXMI
Opera 9.02
OTtBP
OTtBPSDK
Paint Shop Pro 7
Panda ActiveScan 2.0
PanoStandAlone
PhotoGallery
PixelToolbox 1.1
PowerDVD
ProductContext
Pure Networks Port Magic
QFolder
QuickTime
Readme
RealPlayer
Realtek High Definition Audio Driver
Recovery Software Suite eMachines
RegVac - Trial Version
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
SFR
SHASTA
SKIN0001
SkinsHP1
SKINXSDK
SoftV92 Data Fax Modem with SmartCP
Sothink SWF Quicker
SoundTaxi 1.3.1
Sqirlz Water Reflections
staticcr
SWF Image Creator
The Weather Channel Desktop
TrayApp
U.S. Robotics ControlCenter
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VCRedistSetup
Verizon FiOS Activation
Verizon FiOS Connection Wizard
Viewpoint Media Player
VPRINTOL
WebFldrs XP
WebReg
Webshots Desktop
Winamp (remove only)
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

1/27/2009 5:55:45 AM, error: Service Control Manager [7000] - The Norton AntiVirus Auto-Protect Service service failed to start due to the following error: The system cannot find the file specified.
1/27/2009 5:49:38 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
1/30/2009 1:51:56 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001320ADFA31 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================


Thanks again, Geri!

 

Hi
OK please do the following in the order given.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

File::
C:\Documents and Settings\Owner\Desktop\BlondeHelp.exe
C:\My Music\cold heat megamix j. rocc 34.wma
c:\program files\norton antivirus\navapsvc.exe

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
   Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
3. If you are unable to update you can manually update by going here:
   • 
     http://java.sun.com/javase/downloads/index.jsp
4. After the reboot, go back into the Control Panel and double-click the Java Icon.
5. On the general tab, at the bottom it has "temporary internet files "
6. Click the settings button. Then the Delete files button.
7. There are two options in the window to clear the cache - Leave both Checked
   • 
     Applications and Applets
     Trace and Log files
8. Click OK
   Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
9. Click OK to leave the Java Control Panel.
10. Delete older versions from Add/Remove list.

Download a copy of HijackThis installer from here and save it to your Desktop.

1. Save HJTInstall.exe to your desktop.
2. Double-click on the HJTintall.exe icon on your desktop.
   (Let it install to the default location C:\Program Files\Hijackthis)
3. Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
4. Put a check by Create a desktop icon and then click Next again.
5. Continue to follow the rest of the prompts from there.
6. At the final dialogue box click Finish and it will launch HijackThis.
7. Click on the Do a system scan and save a log file button.
   (It will scan and the log should open in Notepad.)
8. Click on "Edit" > "Select All" to highlight the entire Notepad contents.
9. Then click on "Edit" > "Copy ".
10. Come back here to this thread and Paste the log in your next reply.
    (Right-click in the message body field and select "Paste ".)

CAUTION: DO NOT have HijackThis "fix" anything without carefully following expert guidance. Otherwise, you might render your computer unstable or even unbootable. Most of what HijackThis finds will be harmless or even required.

Please post the Combofix log and the Hijackthis log.

Thanks
Geri

 

ComboFix (renamed to BlondeHelp.exe) has mysteriously disappeared. I did a search for it, and it's just gone. Should I put it back on from the disk or has something gone horribly wrong? I'm nervous about doing this next step without getting an ok in case something went wrong here, and I'm inclined to think something went wrong since it just vanished for no apparent reason.

Sorry if I'm seeming paranoid, but I want to be absolutely sure I'm doing everything right with no surprises. I'm discovering that computers and surprises are really really icky.

Thanks so much, Geri!

 

Hi
OK try just downloading it from here, and run the script I posted.

Download ComboFix from Here to your Desktop.

Geri

 

Ok, here's the ComboFix log...

ComboFix 09-02-03.01 - Owner 2009-02-03 10:25:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.459 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Owner\Desktop\ComboFix.exe
c:\my music\cold heat megamix j. rocc 34.wma
c:\program files\norton antivirus\navapsvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Desktop\ComboFix.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-01 03:55 . 2009-02-03 08:10 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-01 03:47 . 2009-02-03 09:10 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-01 03:47 . 2009-02-01 03:47 <DIR> d-------- c:\program files\AVG
2009-02-01 03:47 . 2009-02-01 03:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-01 03:47 . 2009-02-01 03:47 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-01 03:47 . 2009-02-01 03:47 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-01 03:47 . 2009-02-01 03:47 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-30 10:21 . 2009-01-30 10:21 <DIR> d-------- c:\windows\LastGood
2009-01-30 10:21 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-30 10:12 . 2009-01-30 10:12 <DIR> d-------- c:\program files\Panda Security
2009-01-29 14:53 . 2009-01-29 14:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-27 02:22 . 2009-01-27 02:22 <DIR> d-------- c:\program files\catkittymb
2009-01-21 06:40 . 2009-01-29 14:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 06:40 . 2009-01-21 06:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 06:40 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 06:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 20:33 . 2009-01-21 09:50 <DIR> d--hs---- c:\windows\system32\twain32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 22:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2005-11-11 05:46 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-04-01 21:51 245,760 ----a-w c:\program files\opera\program\plugins\dapop.dll
2006-12-27 18:50 66,648 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-12-27 18:50 54,352 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-27 18:50 34,928 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-12-27 18:50 46,696 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-12-27 18:50 172,120 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-29 21:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_ 1.56.47.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-01 08:47:43 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-07-29 5354792]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2007-04-24 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder "= "c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-13 180269]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"DownloadAccelerator "= "c:\program files\DAP\DAP.EXE" [2007-04-01 4376328]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"High Definition Audio Property Page Shortcut "= "HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan "= "SOUNDMAN.EXE" [2004-10-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd "= "ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-09-29 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 03:47 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe "=
"c:\\StubInstaller.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\DAP\\DAP.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\msncall.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-01 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-01 298264]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVG8WD
*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://development.rcn.com/ie5/welcome/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 10:28:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-03 10:30:27
ComboFix-quarantined-files.txt 2009-02-03 15:30:15
ComboFix2.txt 2009-01-28 06:57:48

Pre-Run: 135,036,780,544 bytes free
Post-Run: 135,018,606,592 bytes free

169 --- E O F --- 2009-01-19 15:02:20



After it was done doing its thing and giving me the log, ComboFix.exe vanished again... I guess it's supposed to do that.

I went through the steps with the Java next, and that went well except the last step where I'm to delete older versions from the Add/Remove list. All I found was J2SE Runtime Environment 5.0 Update 2 but I don't know if that's an older version or not... it was the only one there was (and I only could recognize it by the coffee cup icon).

I'll do the HijackThis step later because I have to go to sleep now (this took a lot longer than I thought). I may or may not be able to post that log before you pop back again, but I'll post it when I get home from work late tonight.

Thanks again, Geri!

 

Hi
OK please post a new Panda scan also.

Thanks
Geri

 

Ok, here's the HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:38 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WEBSHOTS\webshots.scr
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://development.rcn.com/ie5/welcome/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - S-1-5-18 Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9973 bytes


And here's the Panda scan log...

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-02-05 16:24:59
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.0 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040474 dialer.bew Dialers No 0 Yes No c:\windows\system32\search.html
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.doubleclick.net/]
00145869 Cookie/SpyLog TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.spylog.com/]
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.belnk.com/]
00162900 Cookie/MediaTickets TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.kinghost.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.xiti.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.apmebf.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.888.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[server.iad.liveperson.net/hc/56961633]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[server.iad.liveperson.net/hc/59986001]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[stat.onestat.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\cookies.txt[.target.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.did-it.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\fr0supb9.default\cookies.txt[.atwola.com/]
00325244 Application/MyWebSearch HackTools No 0 Yes No C:\Documents and Settings\Owner\My Documents\SetupFiles\CursorManiaSetup2.1.50.3-3.exe
03738695 Generic Malware Virus/Trojan No 0 No No C:\My Download Files\Nero(2)[Nero 8.2.8.0 Keygen Ultra Edition.exe]
03738695 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0106388.exe
04761320 Generic Trojan Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1174\A0106368.exe
04880737 Generic Trojan Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ComboFix.exe.vir
04880737 Generic Trojan Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1177\A0106423.exe
04880737 Generic Trojan Virus/Trojan No 0 Yes Yes C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\wm56u900.default\Cache\C2152591d01
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Thanks again, Geri!