Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

bestrevenue.net AND ad.yieldmanager POP-UP ads [RESOLVED]


  • This topic is locked This topic is locked

#1
juiicy27

juiicy27

    Member

  • Member
  • PipPip
  • 17 posts
I have several antispyware programs installed on my computer that just aren't picking up on the pesky "http://kjr72.bestrevenue.net" and "ad.yieldmanager" ads that keep popping up on my computer. They usually say something like "do you want to get rid of junk emails?" I also had some recent problems with "rond.stardoor" popups which appear to have been removed by spyware programs, however I still think there is something that wasnt entirely removed because my active program windows often switch to inactive by themselves. Lastly, I noticed that right after I got the infection, the number of SVCHOSTS on my process list had increased.

Thank you ahead of time for looking over my logfiles. I hope I provided enough information to describe the problems! :)

Hijack This & Combofix Logs:

---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:41 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\bak\MskAgent.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 6241 bytes

---------------------------------------------------


ComboFix 08-02-18.1 - Janine 2008-02-18 20:49:01.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.654 [GMT -5:00]
Running from: C:\Documents and Settings\Janine\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\inetget2

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-17 19:59 . 2008-02-18 20:03 27,242 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-02-17 19:56 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-02-17 19:56 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-02-17 19:56 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-02-17 19:56 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-02-17 19:56 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-02-17 19:56 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-02-17 19:55 . 2008-02-17 20:08 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-17 19:52 . 2008-02-17 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-17 17:10 . 2008-02-17 17:10 270,698 --a------ C:\WINDOWS\SYSTEM32\L2C03.tmp
2008-02-17 17:10 . 2008-02-17 17:10 400 --a------ C:\WINDOWS\SYSTEM32\L77D2.tmp
2008-02-17 17:09 . 2008-02-17 17:10 181,965 --a------ C:\WINDOWS\SYSTEM32\LEE4E.tmp
2008-02-17 13:07 . 2008-02-17 13:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\mclsphlr
2008-02-17 13:07 . 2004-09-28 10:43 114,688 --------- C:\WINDOWS\SYSTEM32\mclsp.dll
2008-02-17 13:07 . 2004-09-28 10:43 32,768 --a------ C:\WINDOWS\SYSTEM32\instlsp.exe
2008-02-17 13:07 . 2004-09-28 10:43 11,264 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2008-02-17 12:20 . 2008-02-17 12:20 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-17 12:16 . 2008-02-17 12:16 270,698 --a------ C:\WINDOWS\SYSTEM32\LFAFD.tmp
2008-02-17 12:16 . 2008-02-17 12:16 400 --a------ C:\WINDOWS\SYSTEM32\L8CDD.tmp
2008-02-17 12:15 . 2008-02-17 12:16 181,965 --a------ C:\WINDOWS\SYSTEM32\L4941.tmp
2008-02-10 11:44 . 2008-02-10 11:44 402 --a------ C:\WINDOWS\SYSTEM32\L1A1E.tmp
2008-02-10 11:43 . 2008-02-10 11:43 270,698 --a------ C:\WINDOWS\SYSTEM32\L735F.tmp
2008-02-10 11:42 . 2008-02-10 11:43 181,965 --a------ C:\WINDOWS\SYSTEM32\LFEDB.tmp
2008-02-08 17:12 . 2008-02-08 17:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 13:47 . 2008-02-17 17:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-08 13:47 . 2008-02-08 13:47 <DIR> d-------- C:\Documents and Settings\Janine\Application Data\SUPERAntiSpyware.com
2008-02-08 13:47 . 2008-02-08 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 13:46 . 2008-02-08 13:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 18:08 . 2008-02-02 18:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak
2008-02-02 18:08 . 2008-02-02 18:08 <DIR> d-------- C:\WINDOWS\aolshare
2008-02-02 18:08 . 2008-02-02 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-02 13:01 . 2008-02-02 13:01 270,698 --a------ C:\WINDOWS\SYSTEM32\L4083.tmp
2008-02-02 13:00 . 2008-02-02 13:01 181,965 --a------ C:\WINDOWS\SYSTEM32\LEEA9.tmp
2008-01-30 22:35 . 2008-02-02 18:05 <DIR> d-------- C:\Program Files\AOL 9.1
2008-01-23 05:16 . 2008-01-23 05:16 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 03:55 --------- d-----w C:\Program Files\QuickTime
2008-02-18 03:38 --------- d-----w C:\Program Files\AOL 9.0vr
2008-02-18 01:15 --------- d-----w C:\Program Files\McAfee
2008-02-18 00:55 --------- d-----w C:\Program Files\McAfee.com
2008-02-18 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-08 22:40 --------- d-----w C:\Program Files\Java
2008-02-08 21:50 --------- d-----w C:\Program Files\Sonic
2008-02-02 23:08 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-02 23:07 --------- d-----w C:\Program Files\Last.fm
2008-02-02 23:07 --------- d-----w C:\Program Files\Audio Recorder for FREE
2008-02-02 23:04 --------- d-----w C:\Program Files\Common Files\aolshare
2008-01-31 07:07 --------- d-----w C:\Documents and Settings\Janine\Application Data\U3
2008-01-31 03:37 --------- d-----w C:\Documents and Settings\Janine\Application Data\AOL
2008-01-31 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-31 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-23 10:16 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-21 12:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-12-21 11:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-21 05:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-21 05:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 05:56 --------- d-----w C:\Documents and Settings\Janine\Application Data\Grisoft
2007-12-21 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-19 17:07 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-06 10:05 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
2006-12-08 19:05 36 -c--a-w C:\Documents and Settings\Janine\klextlock.dat
2005-06-15 16:24 88 -csh--r C:\WINDOWS\SYSTEM32\ED7C8B6987.sys
2005-06-15 16:24 3,766 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,736 2007-04-18 06:49:00 C:\Program Files\AOL 9.0vr\bak\AOL.EXE

----a-w 110,592 2004-01-07 07:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 950,272 2005-04-05 18:41:18 C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe

----a-w 282,624 2006-09-24 07:24:54 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 94,208 2005-10-14 18:49:46 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

----a-w 127,035 2004-11-16 06:05:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\bak\MskAgent.exe" [ ]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-17 12:20 53248]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2008-01-23 05:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Documents and Settings\Janine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-21 07:44:18 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Janine^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Janine\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 19:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-08-18 03:12 394576 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 15:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 21:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-11-16 14:35]
R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-01-20 10:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a112608-b63b-11db-b7cc-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 00:55:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-18 00:55:41 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 20:51:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 20:52:33
ComboFix-quarantined-files.txt 2008-02-19 01:52:30
ComboFix2.txt 2008-02-17 17:45:43
ComboFix3.txt 2008-02-11 03:57:58
.
2008-02-12 20:30:07 --- E O F ---

Edited by juiicy27, 18 February 2008 - 08:08 PM.

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi juiicy27

welcome to geekstogo :)

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i an move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
juiicy27

juiicy27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Unfortunately, the DSS scanner would not run on my computer. I tried several times, but it kept freezing at "backing registry hives". I even tried to close my avgas to see if that was interfering--still no luck.
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
no problem.

could you re-run combofix and post a new hijackthis log then

also, just to let you know, this fix will take several posts from me given the malware i can see on the logs you have posted. certainly a minimum of 8 posts from me.

andrewuk
  • 0

#5
juiicy27

juiicy27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ugh, I re-ran combofix and now i seem to be having even more problems. My computer now refuses to connect to my wireless network, even though it is in range. It keeps connecting to my neighbors network instead. This problem started right after I ran combofix. I'm not sure, but I think it may have changed my firewall settings and I don't know how to fix it :'C




ComboFix 08-02-24.2 - Janine 2008-02-24 0:39:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.633 [GMT -5:00]
Running from: C:\Documents and Settings\Janine\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 19:21 . 2008-02-23 19:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 19:21 . 2008-02-23 19:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 19:05 . 2008-02-23 19:05 <DIR> d-------- C:\Deckard
2008-02-20 18:15 . 2008-02-20 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-02-17 19:59 . 2008-02-23 22:13 27,400 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-02-17 19:56 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-02-17 19:56 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-02-17 19:56 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-02-17 19:56 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-02-17 19:56 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-02-17 19:56 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-02-17 19:55 . 2008-02-17 20:08 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-17 19:52 . 2008-02-17 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-17 17:10 . 2008-02-17 17:10 270,698 --a------ C:\WINDOWS\SYSTEM32\L2C03.tmp
2008-02-17 17:10 . 2008-02-17 17:10 400 --a------ C:\WINDOWS\SYSTEM32\L77D2.tmp
2008-02-17 17:09 . 2008-02-17 17:10 181,965 --a------ C:\WINDOWS\SYSTEM32\LEE4E.tmp
2008-02-17 13:07 . 2008-02-17 13:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\mclsphlr
2008-02-17 13:07 . 2004-09-28 10:43 114,688 --------- C:\WINDOWS\SYSTEM32\mclsp.dll
2008-02-17 13:07 . 2004-09-28 10:43 32,768 --a------ C:\WINDOWS\SYSTEM32\instlsp.exe
2008-02-17 13:07 . 2004-09-28 10:43 11,264 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2008-02-17 12:20 . 2008-02-17 12:20 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-17 12:16 . 2008-02-17 12:16 270,698 --a------ C:\WINDOWS\SYSTEM32\LFAFD.tmp
2008-02-17 12:16 . 2008-02-17 12:16 400 --a------ C:\WINDOWS\SYSTEM32\L8CDD.tmp
2008-02-17 12:15 . 2008-02-17 12:16 181,965 --a------ C:\WINDOWS\SYSTEM32\L4941.tmp
2008-02-10 11:44 . 2008-02-10 11:44 402 --a------ C:\WINDOWS\SYSTEM32\L1A1E.tmp
2008-02-10 11:43 . 2008-02-10 11:43 270,698 --a------ C:\WINDOWS\SYSTEM32\L735F.tmp
2008-02-10 11:42 . 2008-02-10 11:43 181,965 --a------ C:\WINDOWS\SYSTEM32\LFEDB.tmp
2008-02-08 17:12 . 2008-02-08 17:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 13:47 . 2008-02-17 17:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-08 13:47 . 2008-02-08 13:47 <DIR> d-------- C:\Documents and Settings\Janine\Application Data\SUPERAntiSpyware.com
2008-02-08 13:47 . 2008-02-08 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 13:46 . 2008-02-08 13:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 18:08 . 2008-02-02 18:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak
2008-02-02 18:08 . 2008-02-02 18:08 <DIR> d-------- C:\WINDOWS\aolshare
2008-02-02 18:08 . 2008-02-02 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-02 13:01 . 2008-02-02 13:01 270,698 --a------ C:\WINDOWS\SYSTEM32\L4083.tmp
2008-02-02 13:00 . 2008-02-02 13:01 181,965 --a------ C:\WINDOWS\SYSTEM32\LEEA9.tmp
2008-01-30 22:35 . 2008-02-02 18:05 <DIR> d-------- C:\Program Files\AOL 9.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 03:22 --------- d-----w C:\Program Files\abrViewer.NET
2008-02-18 03:55 --------- d-----w C:\Program Files\QuickTime
2008-02-18 03:38 --------- d-----w C:\Program Files\AOL 9.0vr
2008-02-18 01:15 --------- d-----w C:\Program Files\McAfee
2008-02-18 00:55 --------- d-----w C:\Program Files\McAfee.com
2008-02-18 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-08 22:40 --------- d-----w C:\Program Files\Java
2008-02-08 21:50 --------- d-----w C:\Program Files\Sonic
2008-02-02 23:08 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-02 23:07 --------- d-----w C:\Program Files\Last.fm
2008-02-02 23:07 --------- d-----w C:\Program Files\Audio Recorder for FREE
2008-02-02 23:04 --------- d-----w C:\Program Files\Common Files\aolshare
2008-01-31 07:07 --------- d-----w C:\Documents and Settings\Janine\Application Data\U3
2008-01-31 03:37 --------- d-----w C:\Documents and Settings\Janine\Application Data\AOL
2008-01-31 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-31 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-23 10:16 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2008-01-23 10:16 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-06 10:05 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
2006-12-08 19:05 36 -c--a-w C:\Documents and Settings\Janine\klextlock.dat
2005-06-15 16:24 88 -csh--r C:\WINDOWS\SYSTEM32\ED7C8B6987.sys
2005-06-15 16:24 3,766 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,736 2007-04-18 06:49:00 C:\Program Files\AOL 9.0vr\bak\AOL.EXE

----a-w 110,592 2004-01-07 07:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 950,272 2005-04-05 18:41:18 C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe

----a-w 282,624 2006-09-24 07:24:54 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 94,208 2005-10-14 18:49:46 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

----a-w 127,035 2004-11-16 06:05:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\bak\MskAgent.exe" [ ]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-17 12:20 53248]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2008-01-23 05:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Documents and Settings\Janine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-21 07:44:18 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Janine^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Janine\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 19:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-08-18 03:12 394576 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 15:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 21:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-11-16 14:35]
R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-01-20 10:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a112608-b63b-11db-b7cc-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 00:55:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-18 00:55:41 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 00:41:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 0:41:51
ComboFix2.txt 2008-02-19 01:52:34
.
2008-02-12 20:30:07 --- E O F ---










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:52 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\AOL 9.1\waol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\bak\MskAgent.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 6275 bytes
  • 0

#6
juiicy27

juiicy27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Edit, i fiddled around with the router a bit and reset it. Then I restarted my comp again and it seemed to straighten out. My computer is connected to the right wireless network for now.
  • 0

#7
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

this will take us 4 posts from me, including this one, to clear before we move onto the other infections.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

there is a possibility that your McAfee has been compromised, notably your firewall, so have your installation discs to hand. we will know if there is a problem once we have cleared the infection.

andrewuk
  • 0

#8
juiicy27

juiicy27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 02/24/2008
The current time is: 13:58:50.46


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AOL9~1.0VR\BAK

04/18/2007 01:49 AM 50,736 AOL.EXE
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/14/2005 01:49 PM 94,208 igfxtray.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

04/05/2005 01:41 PM 950,272 MpfTray.exe
1 File(s) 950,272 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

11/16/2004 01:05 AM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 02:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50528 Jan 23 2008 "C:\Program Files\AOL 9.1\aol.exe"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0vr\bak\AOL.EXE"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 May 6 2004 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
94208 Oct 14 2005 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Aug 20 2004 "C:\DELL\drivers\R86247\win2000\igfxtray.exe"
94208 Oct 14 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
94208 Apr 5 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\igfxtray.exe"
950272 Apr 5 2005 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
127035 Nov 16 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report
  • 0

#9
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    "C:\Program Files\AOL 9.0vr\bak\AOL.EXE"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
    "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
    "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
    "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.
andrewuk
  • 0

#10
juiicy27

juiicy27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 02/24/2008
The current time is: 23:57:01.39


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AOL9~1.0VR\BAK

04/18/2007 01:49 AM 50,736 AOL.EXE
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/14/2005 01:49 PM 94,208 igfxtray.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

04/05/2005 01:41 PM 950,272 MpfTray.exe
1 File(s) 950,272 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

11/16/2004 01:05 AM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 02:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50736 Apr 18 2007 "C:\Program Files\AOL 9.0vr\AOL.EXE"
50528 Jan 23 2008 "C:\Program Files\AOL 9.1\aol.exe"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0vr\bak\AOL.EXE"
282624 Sep 24 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 May 6 2004 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
94208 Oct 14 2005 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
94208 Oct 14 2005 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Aug 20 2004 "C:\DELL\drivers\R86247\win2000\igfxtray.exe"
94208 Oct 14 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
94208 Apr 5 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\igfxtray.exe"
950272 Apr 5 2005 "C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe"
950272 Apr 5 2005 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
127035 Nov 16 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
127035 Nov 16 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report
  • 0

Advertisements


#11
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\AOL 9.0vr\bak
    C:\Program Files\QuickTime\bak
    C:\WINDOWS\SYSTEM32\bak
    C:\Program Files\McAfee.com\Personal Firewall\bak
    C:\WINDOWS\SYSTEM32\dla\bak
    C:\Program Files\Common Files\Sonic\Update Manager\bak


  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

andrewuk
  • 0

#12
juiicy27

juiicy27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
here's the new AWf



Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 02/25/2008
The current time is: 17:21:54.25


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
  • 0

#13
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looking good on this infection now

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 4, then press Enter.
  • You will receive a warning to reset domain zones
  • Press 1 then press Enter.
  • If you have manually included sites in the trusted zones, these will need to be re-inserted.

and could you post a new hijackthis log

andrewuk
  • 0

#14
juiicy27

juiicy27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:38 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1185132300\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\bak\MskAgent.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 6570 bytes
  • 0

#15
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\L2C03.tmp
C:\WINDOWS\SYSTEM32\L77D2.tmp
C:\WINDOWS\SYSTEM32\LEE4E.tmp
C:\WINDOWS\SYSTEM32\LFAFD.tmp
C:\WINDOWS\SYSTEM32\L8CDD.tmp
C:\WINDOWS\SYSTEM32\L4941.tmp
C:\WINDOWS\SYSTEM32\L1A1E.tmp
C:\WINDOWS\SYSTEM32\L735F.tmp
C:\WINDOWS\SYSTEM32\LFEDB.tmp
C:\WINDOWS\SYSTEM32\L4083.tmp
C:\WINDOWS\SYSTEM32\LEEA9.tmp

Folder::
C:\Program Files\xInsIDE

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a112608-b63b-11db-b7cc-00038a000015}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xInsIDE"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP