Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ad yield manager problem -accessing emails [CLOSED]


  • This topic is locked This topic is locked

#1
RossEv

RossEv

    New Member

  • Member
  • Pip
  • 3 posts
Can someone please help me as I'm having trouble accessing my emails.
When accessing my e-mails in yahoo mail I am being re-diverted to Dell homepage and a message appears 'sorrry, we couldn't find http://ad.yield manager.com/st%03Fad_type'. Also while being re-diverted I notice a message saying connecting to site 127.0.0.1?.

Any help/assistance to sort this problem out would be greatly appreciated.

Ross
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Ross and welcome to GTG.

Please read this topic and post your HijackThis log here when ready.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
RossEv

RossEv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I downloaded MBAM and run a full scan. 70 infected objects were detected. They were selected and removed.
Here is a copy of the log report.

Malwarebytes' Anti-Malware 1.11
Database version: 663

Scan type: Full Scan (C:\|)
Objects scanned: 142595
Time elapsed: 58 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 38
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 19
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{06b30a09-5760-4994-a7f2-854644f75254} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{08001fca-2c97-41e3-9f67-596f499b725f} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{10ba262b-e944-4240-a9d6-e12accfacbc7} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{13275562-0968-4428-a926-d61a67fb25a0} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1351ed54-2094-40cf-968e-3c7f704be463} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2230f9a1-dfbb-400c-85c2-fe854d3f56bc} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{51ff5e3e-f5e7-43b5-a809-fdfbbdbe4eff} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{58dd5f8a-b280-4835-8f65-d2b3383ea4e9} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5c3d449a-1737-4c87-929d-f3b33c32253d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{62f2e72b-8fee-47cf-b337-36d61336e13e} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{658d9966-2eeb-47ca-abcf-1818db4fdc2d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7a013512-ceaf-4f5f-af1a-8b1b472e714b} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{86ecaf8e-540c-4960-82aa-1323a5578e2d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8882515d-7e2c-45a9-ae99-ea09a9023a07} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8fe48e13-6661-444c-8b23-07623232d1f4} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9aad0cdc-7822-4593-9e95-8c7eb256d509} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa8a3463-c37f-4887-b3f3-380938f89a80} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aec39567-aa5b-4cfa-a7ea-61f4dfb15fe7} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b8e5f903-290c-4422-8ef1-89f4990cd72b} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c5bcb43c-514a-4be9-a9e5-e54629f4f131} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c7d83b29-f534-484d-9cfa-66b4484cdc53} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c8897164-1ce8-45fe-8483-e93f1681f320} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d2a39c98-0833-4581-8dc9-c7223561f656} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d725ced2-7c0e-4484-aaa4-f186c659f8b8} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d847da70-508a-480f-b91e-133d9f60ced8} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da163414-a8e2-4907-85f4-b0ec9d4ebb78} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ee8df60b-01a8-4143-8d94-41a185a9691e} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe1ecf64-a6c0-4f3a-87f5-3135c517e4aa} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ff2de560-d35c-45d4-834f-90654d4e2e3d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ekvgsnw.bdxp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ekvgsnw.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{60570909-486a-4609-b7ae-cbcaa3831168} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{004400ef-1efb-4d04-953e-a33c8cac377b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{84adc82a-618e-4391-a720-4771efff5da2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2125299c-378e-4065-a925-17fae942cba9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{60570909-486a-4609-b7ae-cbcaa3831168} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AntiVirusPro (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\AntiVirusPro\Quarantine (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\BrowserObjects (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\StartMenuAllUsers (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\StartMenuCurrentUser (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun\RunOnce (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKCURun\RunOnceEx (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun\RunOnce (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Evans\Application Data\Anti-Virus-Pro.com\AntiVirusPro\Autorun\HKLMRun\RunOnceEx (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ahgrepcfmhcbal.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tkrmt.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\swupd.log (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msiconf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

Please advise on next steps, if any.

Thanks

Ross
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Ross, please follow the next step...install recovery console and run Combofix. Post the Combofix log here when ready.
  • 0

#5
RossEv

RossEv

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I installed recovery console and ran Combofix as you instructed.
Here is a copy of the log report.


ComboFix 08-04-20.5 - David Evans 2008-04-22 11:16:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.548 [GMT 1:00]
Running from: C:\Documents and Settings\David Evans\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Evans\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-22 09:59 . 2008-04-22 09:59 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-21 11:30 . 2008-04-21 11:30 <DIR> d-------- C:\Documents and Settings\David Evans\Application Data\ErrorRepairTool
2008-04-21 09:53 . 2008-04-21 09:53 <DIR> d-------- C:\Documents and Settings\David Evans\Application Data\Malwarebytes
2008-04-21 09:53 . 2008-04-21 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 21:31 . 2008-04-20 21:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 15:39 . 2008-04-17 15:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-17 15:39 . 2008-04-17 15:39 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 08:59 --------- d-----w C:\Program Files\McAfee
2008-04-22 08:55 --------- d-----w C:\Documents and Settings\David Evans\Application Data\SiteAdvisor
2008-04-21 10:44 --------- d-----w C:\Documents and Settings\Liam Evans\Application Data\SiteAdvisor
2008-04-20 16:10 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-17 14:55 --------- d-----w C:\Documents and Settings\David Evans\Application Data\AdobeUM
2008-04-04 14:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-03-21 07:27 --------- d-----w C:\Documents and Settings\Ryan Evans\Application Data\MfcdObjSoap
2008-03-21 07:25 --------- d-----w C:\Documents and Settings\Liam Evans\Application Data\MfcdObjSoap
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 19:51 --------- d-----w C:\Program Files\SopCast
2008-03-05 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\live 64 math does
2008-03-01 13:53 --------- d-----w C:\Documents and Settings\David Evans\Application Data\FrostWire
2008-02-29 12:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 22:18 --------- d-----w C:\Documents and Settings\David Evans\Application Data\Business Logic
2008-02-28 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 20:23 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-28 18:50 --------- d-----w C:\Documents and Settings\David Evans\Application Data\LimeWire
2008-02-28 18:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Business Logic
2008-02-28 18:47 --------- d-----w C:\Program Files\blcorp
2008-02-28 18:01 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-28 16:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 16:48 --------- d-----w C:\Program Files\IM Names 4
2008-02-28 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 16:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 19:00 --------- d-----w C:\Program Files\Enigma Software Group
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-25 16:31 88 --sh--r C:\WINDOWS\system32\8784537AA1.sys
2007-12-01 07:51 56 --sh--r C:\WINDOWS\system32\A17A538487.sys
2007-12-25 16:31 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"EPSON Stylus DX4400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-03-01 07:01 180736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 20:11 68856]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 16:10 1658965]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 13:47 16384]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 18:38 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\Ryan Evans\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-01-11 13:57:44 256000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David Evans^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\David Evans\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2007-01-10 12:06 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2006-02-09 23:34 106496 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Product Registration Reminder]
C:\WINDOWS\Temp\RegModule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-08-21 18:37 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-11-17 14:21 50736 C:\Program Files\Common Files\AOL\1183204704\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Info axis]
C:\DOCUME~1\DAVIDE~1\APPLIC~1\MFCDOB~1\FileLongBody.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSI Configuration]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
--a------ 2007-01-17 18:30 152144 C:\Program Files\McAfee\MSK\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-08-21 18:32 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-02-10 11:17 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
--a------ 2007-02-09 05:37 36904 C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 04:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-12 20:11 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
--a------ 2005-09-14 21:44 65536 C:\Program Files\USB Disk Win98 Driver\Res.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Antivirus]
C:\Program Files\XP Antivirus\xpa2008pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=

S2 0172561208854747mcinstcleanup;McAfee Application Installer Cleanup (0172561208854747);C:\WINDOWS\TEMP\017256~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 10:00:01 C:\WINDOWS\Tasks\A33A838491850084.job"
- c:\docume~1\ryanev~1\applic~1\mfcdob~1\List Platform Hole.exe
"2008-04-10 11:50:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-22 10:00:02 C:\WINDOWS\Tasks\B59289FD9185355D.job"
- c:\docume~1\liamev~1\applic~1\mfcdob~1\List Platform Hole.exe
"2008-04-22 10:09:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-21 10:30:31 C:\WINDOWS\Tasks\ErrorRepairTool Scheduled Scan.job"
- C:\Program Files\ErrorRepairTool\ErrorRepairTool.ex
- C:\Program Files\ErrorRepairTool
"2007-02-12 20:39:15 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 01:00:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-04-04 14:00:49 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 11:18:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 11:19:38
ComboFix-quarantined-files.txt 2008-04-22 10:19:34

Pre-Run: 137,429,696,512 bytes free
Post-Run: 138,469,289,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

207 --- E O F --- 2008-04-09 11:46:23


Thanks

Ross
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Ross, where is your HijackThis log? Please read the sticky topic link I gave you earlier. Make sure you followed all those steps already and post the HijackThis log here when ready.

Download NoLop.exe to your desktop from one of the following mirrors:
http://www.thespykil...=tpmod;dl=get16
http://www.greyknigh...m/spy/NoLop.exe

Close any other programs you have running as this will require a reboot.
Double-click NoLop.exe to run it.
Now click the button labeled Search and Destroy.
When scanning is finished you will be prompted to reboot only if infected. Click OK.
Now click the Reboot button. A message should pop up from NoLop. If not, double-click the program again and it will finish.
Post the contents of C:\NoLop.log here.

If you receive an error mscomctl.ocx or one of its dependencies are not correctly registered, then download the mscomctl.ocx file from http://www.boletrice...ds/mscomctl.ocx to your system32 folder and then rerun the NoLop.


Uninstall ErrorRepairTool and XP Antivirus via the Add/Remove Programs panel if found.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

DirLook::
C:\Documents and Settings\Ryan Evans\Application Data\MfcdObjSoap
C:\Documents and Settings\Liam Evans\Application Data\MfcdObjSoap
File::
C:\WINDOWS\Tasks\A33A838491850084.job
C:\WINDOWS\Tasks\B59289FD9185355D.job
C:\WINDOWS\Tasks\ErrorRepairTool Scheduled Scan.job
Folder::
C:\Documents and Settings\David Evans\Application Data\ErrorRepairTool
C:\Documents and Settings\All Users\Application Data\live 64 math does
C:\DOCUME~1\DAVIDE~1\APPLIC~1\MFCDOB~1\
C:\Program Files\XP Antivirus\
C:\Program Files\ErrorRepairTool\
c:\docume~1\ryanev~1\applic~1\mfcdob~1\
c:\docume~1\liamev~1\applic~1\mfcdob~1\
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Info axis]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Antivirus]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Is the computer running any better now?
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP