Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Slow Comp with Unwanted Pop-Ups [CLOSED]

Started by cocomomo80 , Apr 19 2008 12:38 AM

  • This topic is locked This topic is locked

#1
cocomomo80
Posted 19 April 2008 - 12:38 AM

cocomomo80

    New Member

  • Member
  • Pip
  • 3 posts
Recently, my computer has been getting more and more pop-ups and browsing the internet has gotten slower and slower. I frequently use Firefox to browse the web, but lately, I've been experiencing numerous amounts of Explorer pop-ups. I occasionally had Firefox pop-ups, but they subsided after a couple malware scans. Just a few nights ago, I literally had about 90 pop-ups in less than 3 minutes. It was insane! :)

I've followed the malware cleaning guide and here are the log results from my scan. The only thing I was not able to do was an online scan because the pop-ups slows down my computer. I've done the following scans, but I'm still experiencing Explorer pop-ups every 3 to 8 minutes. I get the pop-ups more when I move from one web page to another; not so much when I'm sitting in one spot.

Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.11
Database version: 630

Scan type: Quick Scan
Objects scanned: 36695
Time elapsed: 15 minute(s), 6 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 4
Registry Keys Infected: 62
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 48

Memory Processes Infected:
c:\WINDOWS\um9tb25hie1jrmfybgfuzq\command.exe (AdWare.CommAd) -> Failed to unload process.
c:\program files\network monitor\netmon.exe (Trojan.DNSChanger) -> Unloaded process successfully.
c:\WINDOWS\mrofinu1000106.exe (Trojan.Downloader) -> Unloaded process successfully.
c:\program files\JavaCore\JavaCore.exe (Trojan.Insider) -> Unloaded process successfully.
c:\Program Files\Common Files\oiwu\oiwum.exe (Trojan.Downloader) -> Unloaded process successfully.
c:\Program Files\Common Files\oiwu\oiwua.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\um9tb25hie1jrmfybgfuzq\asappsrv.dll (AdWare.CommAd) -> Unloaded module successfully.

SUPERAntiSpyware
SUPERAntiSpyware Scan Log
Generated 04/15/2008 at 06:03 PM

Application Version : 3.6.1000

Core Rules Database Version : 3438
Trace Rules Database Version: 1430

Scan type : Complete Scan
Total Scan Time : 03:48:17

Memory items scanned : 316
Memory threats detected : 0
Registry items scanned : 5900
Registry threats detected : 71
File items scanned : 73216
File threats detected : 33

Clear Search Toolbar BHO
HKLM\Software\Classes\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}\InprocServer32
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}\InprocServer32#ThreadingModel
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}\ProgID
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}\Programmable
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}\TypeLib
HKCR\CLSID\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}\VersionIndependentProgID
C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

Trojan.ZQuest
HKLM\Software\Classes\CLSID\{9DD14795-7CF4-4434-3094-396D8748A5EA}
HKCR\CLSID\{9DD14795-7CF4-4434-3094-396D8748A5EA}
HKCR\CLSID\{9DD14795-7CF4-4434-3094-396D8748A5EA}\InProcServer32
HKCR\CLSID\{9DD14795-7CF4-4434-3094-396D8748A5EA}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\SBAPPS\QUZA774.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9DD14795-7CF4-4434-3094-396D8748A5EA}
C:\PROGRAM FILES\SBAPPS\QUZA.DLL
C:\PROGRAM FILES\SBAPPS\QUZA843.DLL
C:\PROGRAM FILES\SBAPPS\QUZA118.DLL
C:\PROGRAM FILES\SBAPPS\QUZA481.DLL

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP691\A0036982.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037018.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037031.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037033.EXE

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.IEPlugin
C:\WINDOWS\lu.dat

Adware.MyWay
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0\win32
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\FLAGS
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\HELPDIR
HKLM\Software\MyWay
HKLM\Software\MyWay\myBar
HKLM\Software\MyWay\myBar#Dir
HKLM\Software\MyWay\myBar#CurInstall
HKLM\Software\MyWay\myBar#ShzmCurInstall
HKLM\Software\MyWay\myBar#pid
HKLM\Software\MyWay\myBar#sr
HKLM\Software\MyWay\myBar#pl
HKLM\Software\MyWay\myBar#Id
HKLM\Software\MyWay\myBar#Build
HKLM\Software\MyWay\myBar#CacheDir
HKLM\Software\MyWay\myBar#HistoryDir
HKLM\Software\MyWay\myBar#Visible
HKLM\Software\MyWay\myBar#SettingsDir
HKLM\Software\MyWay\myBar#ConfigRevisionURL
HKLM\Software\MyWay\myBar#Maximized
HKLM\Software\MyWay\myBar#ConfigDateStamp
HKLM\Software\MyWay\myBar\partner
HKLM\Software\MyWay\myBar\partner#autologin
HKLM\Software\MyWay\myBar\partner#cfg
HKLM\Software\MyWay\myBar\partner#mywayurl
HKLM\Software\MyWay\myBar\partner#search
HKLM\Software\MyWay\myBar\partner#uninstallurl
HKLM\Software\MyWay\myBar\partner#bitmap
HKLM\Software\MyWay\myBar\partner#name
HKLM\Software\MyWay\myBar\partner#test
HKLM\Software\MyWay\myBar\partner#PM-Home
HKLM\Software\MyWay\myBar\partner#PM-Points
HKLM\Software\MyWay\myBar\partner#PM-Redeem
HKLM\Software\MyWay\myBar\partner#PM-Wallet
HKLM\Software\MyWay\myBar\partner#PM-Settings
C:\WINDOWS\SYSTEM32\XCITE.DLL

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.Adservs
C:\DOCUMENTS AND SETTINGS\MONA.MONA4PLAY\APPLICATION DATA\MALWAREBYTES\MALWAREBYTES' ANTI-MALWARE\QUARANTINE\QUAR1.13241
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP719\A0040749.DLL
C:\WINDOWS\SYSTEM32\XTMP\V55API.EXE

Unclassified.Unknown Origin
C:\DOCUMENTS AND SETTINGS\MONA.MONA4PLAY\APPLICATION DATA\MALWAREBYTES\MALWAREBYTES' ANTI-MALWARE\QUARANTINE\QUAR1.78528
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP719\A0040751.EXE

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037017.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037032.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP713\A0039105.DLL

Adware.Rabio Search Enhancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037024.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037025.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP701\A0037028.DLL
C:\WINDOWS\SYSTEM32\MD2\TR11DLL.EXE

Trojan.ZQuest-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP711\A0038034.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP711\A0038048.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP714\A0039158.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP715\A0040133.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP718\A0040372.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP719\A0040732.VBS
C:\WINDOWS\UM9TB25HIE1JRMFYBGFUZQ\OA6QVZC1KHY3LAIVV3IRTK.VBS

Trojan.Downloader-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB443A7-04D6-41EA-B40F-C18A12AE217C}\RP718\A0040373.EXE

And lastly, HijackThis log with uninstall list:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:27 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26CBB9F2-5F6B-48C4-841D-DAAE08FE01D1} - C:\WINDOWS\system32\wvwvu.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {f5f97f08-36c3-5798-6e94-7b1ad637ddce} - {ecdd736d-a1b7-49e6-8975-3c6380f79f5f} - C:\WINDOWS\system32\apdtlrtl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eiiwyi] "C:\Program Files\Common Files\A?pPatch\r?gedit.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24....ex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayyxwu - yayyxwu.dll (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 7446 bytes


HIJACKTHIS UNINSTALL LIST:
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player
Adobe Type Manager 4.0
AOL Instant Messenger
AOL Toolbar
BlackBerry Desktop Software 4.2.2
BlackBerry Desktop Software 4.2.2
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp LaserJet 1000
iPod for Windows 2005-09-23
iPod for Windows 2006-01-10
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
LimeWire 4.8.1
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Maxtor Manager
Maxtor Manager
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (1.5.0.9)
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Network Play System (Patching)
Panda ActiveScan
Panda ActiveScan Pro
PC Inspector File Recovery
QuickTime
RealPlayer
Roxio Media Manager
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Shockwave
Snood 2.2R (Full Version)
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Service Pack 2
WinZip
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

Thanks for any help that I receive.

- cocomomo80
  • 0

Advertisements

#2
sage5
Posted 19 April 2008 - 06:01 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi cocomomo80,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
ComboFix

Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Cheers,

sage5
  • 0

#3
cocomomo80
Posted 20 April 2008 - 11:19 AM

cocomomo80

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Sage5,

Thanks so much for your help. Here is the ComboFix log you requested from my scan.

ComboFix 08-04-18.3 - Mona 2008-04-20 12:47:24.1 - FAT32x86
Running from: C:\Documents and Settings\Mona.MONA4PLAY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mona.MONA4PLAY\Desktop\WinXP_EN_PRO_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mona.MONA4PLAY\Application Data\YMANTE~1
C:\Program Files\Common Files\appatc~1
C:\Program Files\sstem3~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apdtlrtl.dll
C:\WINDOWS\system32\drivers\atinmdxxx.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nynnpvxc.dll
C:\WINDOWS\system32\uvwvw.ini
C:\WINDOWS\system32\uvwvw.ini2
C:\WINDOWS\system32\Xcite.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATINMDXXX
-------\Service_atinmdxxx


((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 02:28 . 2008-04-19 02:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 14:10 . 2008-04-15 14:10 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-04-15 14:09 . 2008-04-15 14:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-15 14:09 . 2008-04-15 14:09 <DIR> d-------- C:\Documents and Settings\Mona.MONA4PLAY\Application Data\SUPERAntiSpyware.com
2008-04-15 06:40 . 2008-04-15 06:40 <DIR> d-------- C:\Documents and Settings\Mona.MONA4PLAY\Application Data\Malwarebytes
2008-04-15 06:39 . 2008-04-15 06:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-15 06:39 . 2008-04-15 06:39 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-15 06:39 . 2008-04-15 06:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-04-14 03:52 . 2008-04-14 03:52 <DIR> d-------- C:\Program Files\Norton PC Checkup
2008-04-14 03:09 . 2008-04-14 03:09 129 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-14 03:03 . 2008-04-14 03:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-13 22:42 . 2008-04-13 22:42 <DIR> d-------- C:\Program Files\Common Files\oiwu
2008-04-13 21:23 . 2007-07-09 09:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-13 21:10 . 2008-04-13 21:10 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 19:07 . 2008-04-14 19:08 101,091 --a------ C:\WINDOWS\BM3f742def.xml
2008-04-01 18:21 . 2008-04-01 18:21 <DIR> d-------- C:\Program Files\PocoMan
2008-04-01 18:21 . 2008-04-01 18:21 1,003,520 --a------ C:\Documents and Settings\Romona McFarlane\poco-w95.exe
2008-03-23 10:53 . 2008-03-23 10:53 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-23 10:40 . 2008-03-23 10:48 21,364,592 --a------ C:\Documents and Settings\Romona McFarlane\aaw2007.exe
2008-03-23 03:48 . 2008-03-23 09:56 21,928,000 --a------ C:\WINDOWS\pav.zip
2008-03-23 03:19 . 2008-03-23 03:19 <DIR> d--hs---- C:\WINDOWS\Um9tb25hIE1jRmFybGFuZQ
2008-03-23 03:16 . 2008-03-23 03:16 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-03-23 03:16 . 2008-03-23 03:16 <DIR> d-------- C:\WINDOWS\system32\usnv
2008-03-23 03:16 . 2008-03-23 03:16 <DIR> d-------- C:\WINDOWS\system32\md2
2008-03-23 03:16 . 2008-03-23 03:16 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-23 03:16 . 2008-03-23 03:16 <DIR> d-------- C:\WINDOWS\system32\aqVreo01
2008-03-23 03:16 . 2008-03-23 03:16 406,246 --a------ C:\temp\nmes3302.exe
2008-03-23 00:19 . 2008-03-23 00:19 <DIR> d-------- C:\Documents and Settings\Mona.MONA4PLAY\Application Data\Roxio
2008-03-23 00:19 . 2008-03-23 00:19 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Roxio
2008-03-23 00:18 . 2008-04-08 15:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-23 00:18 . 2008-03-23 00:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 00:16 . 2008-03-23 00:16 <DIR> d-------- C:\Documents and Settings\Mona.MONA4PLAY\Application Data\Research In Motion
2008-03-23 00:16 . 2008-03-23 03:33 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-23 00:15 . 2004-08-04 01:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-23 00:15 . 2004-08-04 01:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-22 13:34 . 2008-03-22 13:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2008-03-22 13:33 . 2008-03-22 13:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sonic
2008-03-22 13:26 . 2008-03-22 13:26 <DIR> d-------- C:\Program Files\Roxio
2008-03-22 13:26 . 2008-03-22 13:26 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-22 13:26 . 2008-03-22 13:26 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-22 13:26 . 2008-03-22 13:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio
2008-03-22 12:48 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-03-22 12:46 . 2008-03-22 12:46 <DIR> d-------- C:\Documents and Settings\Mona.MONA4PLAY\Application Data\Blackberry Desktop
2008-03-22 12:45 . 2008-03-22 12:45 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-03-22 12:44 . 2008-03-22 12:44 <DIR> d-------- C:\Program Files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-27 19:14 --------- d-----w C:\Program Files\PC Inspector File Recovery
2008-02-27 19:10 6,113,439 ----a-w C:\Documents and Settings\Romona McFarlane\pci_filerecovery.exe
2008-02-26 21:10 --------- d-----w C:\Program Files\Maxtor
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-26 01:29 22 ----a-w C:\Program Files\c.zip
2007-08-26 01:29 22 ----a-w C:\Program Files\b.zip
2007-08-26 01:15 22 ----a-w C:\Program Files\a.zip
2007-07-11 12:08 25,214 ----a-w C:\Program Files\B.ico
2007-07-11 12:08 25,214 ----a-w C:\Program Files\A.ico
2007-04-12 10:20 6,114,439 ----a-w C:\Documents and Settings\Romona McFarlane\XP_Codec_Pack-2.0.7.1.zip
2007-03-04 13:52 475,790 ----a-w C:\Documents and Settings\Romona McFarlane\Autoruns.zip
2007-03-04 13:29 4,321,600 ----a-w C:\Documents and Settings\Romona McFarlane\aawsepersonal.exe
2007-02-11 21:38 775,800 ----a-w C:\Documents and Settings\Romona McFarlane\ActiveSetupN.exe
2007-01-27 10:41 10,057,960 ----a-w C:\Documents and Settings\Romona McFarlane\DivXOVSPlayerInstaller.exe
2005-06-03 17:24 2,314,920 ----a-w C:\Documents and Settings\Romona McFarlane\LimeWireWin.exe
2005-05-30 19:39 35,656 ----a-w C:\Documents and Settings\Mona.MONA4PLAY\Application Data\GDIPFONTCACHEV1.DAT
2003-07-10 04:33 74,752 --sha-w C:\Program Files\Thumbs.db
2002-08-22 23:17 76,304 ----a-w C:\Documents and Settings\Romona McFarlane\Application Data\GDIPFONTCACHEV1.DAT
2001-12-06 23:50 20 ----a-w C:\Program Files\log.txt
2000-06-16 16:26 271 --sh--w C:\Program Files\desktop.ini
2000-06-16 16:26 23,357 ---h--w C:\Program Files\folder.htt
2001-01-29 04:09 184,320 ----a-w C:\Program Files\internet explorer\plugins\iclipscore.dll
2001-01-29 04:08 84,992 ----a-w C:\Program Files\internet explorer\plugins\14_43260.dll
2001-01-29 04:08 44,032 ----a-w C:\Program Files\internet explorer\plugins\28_83260.dll
2001-01-29 04:08 30,720 ----a-w C:\Program Files\internet explorer\plugins\auth3260.dll
2001-01-29 04:08 24,576 ----a-w C:\Program Files\internet explorer\plugins\basc3260.dll
2001-01-29 04:08 23,552 ----a-w C:\Program Files\internet explorer\plugins\cokr3260.dll
2001-01-29 04:08 25,088 ----a-w C:\Program Files\internet explorer\plugins\cook3260.dll
2001-01-29 04:08 20,480 ----a-w C:\Program Files\internet explorer\plugins\dnet3260.dll
2001-01-29 04:08 78,848 ----a-w C:\Program Files\internet explorer\plugins\ednt3260.dll
2001-01-29 04:08 474,112 ----a-w C:\Program Files\internet explorer\plugins\encn3260.dll
2001-01-29 04:08 22,016 ----a-w C:\Program Files\internet explorer\plugins\enlv3260.dll
2001-01-29 04:08 92,672 ----a-w C:\Program Files\internet explorer\plugins\erv13260.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26CBB9F2-5F6B-48C4-841D-DAAE08FE01D1}]
C:\WINDOWS\system32\wvwvu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdd736d-a1b7-49e6-8975-3c6380f79f5f}]
C:\WINDOWS\system32\apdtlrtl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Eiiwyi"="C:\Program Files\Common Files\A?pPatch\r?gedit.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-08 00:28 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 14:53 169264]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]
"combofix"="C:\WINDOWS\system32\CF2702.exe" [2004-08-04 02:56 388608]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyxwu]
yayyxwu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
C:\Program Files\ClearSearch\Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
--a------ 1998-11-30 18:04 497376 C:\WINDOWS\p_981116.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2002-06-10 14:21 102400 C:\WINDOWS\System32\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-08 00:28 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a------ 2005-03-28 21:22 9168 C:\WINDOWS\wt\updater\wcmdmgrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winnet]
C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24]

*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 17:00:02 C:\WINDOWS\Tasks\dfrg.job"
- C:\WINDOWS\system32\dfrg.msc
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 13:01:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-20 13:08:29 - machine was rebooted [Mona]
ComboFix-quarantined-files.txt 2008-04-20 17:08:14

Pre-Run: 2,274,181,120 bytes free
Post-Run: 2,297,675,776 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

223 --- E O F --- 2008-04-15 07:06:41

- cocomomo80
  • 0

#4
sage5
Posted 21 April 2008 - 08:02 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi cocomomo80,


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O2 - BHO: (no name) - {26CBB9F2-5F6B-48C4-841D-DAAE08FE01D1} - C:\WINDOWS\system32\wvwvu.dll (file missing)
O2 - BHO: {f5f97f08-36c3-5798-6e94-7b1ad637ddce} - {ecdd736d-a1b7-49e6-8975-3c6380f79f5f} - C:\WINDOWS\system32\apdtlrtl.dll
O4 - HKCU\..\Run: [Eiiwyi] "C:\Program Files\Common Files\A?pPatch\r?gedit.exe"
O20 - Winlogon Notify: yayyxwu - yayyxwu.dll (file missing)
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


I see you have LimeWire installed on your system.
While the program itself is legal, most of the files downloaded with it, are not.
These programs can also be one of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files.
I highly recommend uninstalling LimeWire as outlined below.


Remove folders & files:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    Java 2 Runtime Environment, SE v1.4.2_03
    LimeWire 4.8.1
    Viewpoint Media Player
    WildTangent Web Driver
    Please take note of any other programs that you don't recognise in that list, and include them in your next response


Create a CombFix Script:
  • Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  • Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\BM3f742def.xml
C:\Documents and Settings\Romona McFarlane\poco-w95.exe
C:\Documents and Settings\Romona McFarlane\aaw2007.exe
C:\WINDOWS\pav.zip
C:\temp\nmes3302.exe
C:\Program Files\c.zip
C:\Program Files\b.zip
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\A.ico
C:\Documents and Settings\Romona McFarlane\LimeWireWin.exe

Folder::
C:\WINDOWS\Um9tb25hIE1jRmFybGFuZQ
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\md2
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\aqVreo01
C:\Program Files\Limewire
C:\Program Files\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-

  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
    Posted Image
  • After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Your log shows you are not running Anti-virus or Firewall software.
These are essential items and need to be loaded before we can continue fixing your PC.

I have listed a couple of free versions of both. Please download and install 1 Anti-virus and 1 Firewall.

Firewalls: Please install one only.
Comodo Firewall Pro or Sunbelt Personal Firewall

Anti-virus: Please install one only:
Avast! Free Edition or AntiVir PersonalEdition Classic

Anti-Virus Tutorials/Manuals:
Avast Tutorial
Avast Manual
Antivir Manual

Please allow the new Anti-virus to run a full System scan, and at the end of the process you should be able to save a scan log.
If the scan report window does not have a Save as Repot Button (or similar), you may be able to highlight the text in the window & copy & paste it to a new Notepad file.
Save it as C:\avscan.txt if you can.

I need you to post me a fresh HijackThis log to confirm correct installation of the Anti-virus and Firewall programs.

Run HijackThis:
  • Select the Run a system scan and save a logfile option. The logfile opens in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Also paste me the text from C:\avscan.txt & the ComboFix.txt

The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

Cheers,

sage5
  • 0

#5
sage5
Posted 30 April 2008 - 10:12 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP