[lifeisabeach2191]

report part 2

Attached Files

•  rp2.txt   498.97KB   142 downloads

[Advertisements]

report part 3

Attached Files

•  rp3.txt   492.01KB   177 downloads

[lifeisabeach2191]

report part 3

Attached Files

•  rp3.txt   492.01KB   177 downloads

[lifeisabeach2191]

report part 4

Attached Files

•  rp4.txt   481.26KB   144 downloads

[sarahw]

.

Edited by sarahw, 26 April 2008 - 12:30 AM.

[lifeisabeach2191]

report part 5

Attached Files

•  rp5.txt   497.49KB   234 downloads

[lifeisabeach2191]

report part 6

Attached Files

•  rp6.txt   436.49KB   505 downloads

[lifeisabeach2191]

report part 7 (last part)

Attached Files

•  rp7.txt   283.51KB   194 downloads

[sarahw]

1.
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Documents and Settings\Roman\Local Settings\Tempmjiwep0.exe
  C:\Program Files\VirusIsolator
  C:\Program Files\Webroot\Spy Sweeper\wrlzma.dll

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2.
Please click HERE to run the Trend Micro™ HouseCall Scan.

• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

3.
Tell me how the computer is running.

[lifeisabeach2191]

File/Folder C:\Documents and Settings\Roman\Local Settings\Tempmjiwep0.exe not found.
C:\Program Files\VirusIsolator\Suspicious moved successfully.
C:\Program Files\VirusIsolator\Infected moved successfully.
C:\Program Files\VirusIsolator moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Webroot\Spy Sweeper\wrlzma.dll
C:\Program Files\Webroot\Spy Sweeper\wrlzma.dll NOT unregistered.
C:\Program Files\Webroot\Spy Sweeper\wrlzma.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04262008_113129


The computer is running much better. I no longer have that trojan apearing every 5 seconds and I can easily access the internet. Also the error popups and the random spyware popups have stopped as well. Thank you so much for helping me!

[lifeisabeach2191]

The only problems that I have now are that my Dell MediaDirect won't open. I also can't access Task Manager on one of my accounts, even though it is an adminisrator and I used to be able to use Task Manager before

Also it takes forever for my McAfee to open. It opens but freezes a lot.

Edited by lifeisabeach2191, 26 April 2008 - 04:47 PM.

[sarahw]

Can you please post another Combofix log.

[lifeisabeach2191]

ComboFix 08-04-22.5 - Solomiya 2008-04-27 13:09:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.498 [GMT -5:00]
Running from: C:\Documents and Settings\Roman\My Documents\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 00:32 . 2008-04-26 12:25 <DIR> d-------- C:\Documents and Settings\Roman\.housecall6.6
2008-04-26 00:29 . 2008-04-26 00:29 <DIR> d-------- C:\_OTMoveIt
2008-04-25 21:21 . 2008-04-25 21:21 <DIR> d-------- C:\WINDOWS\Sun
2008-04-25 15:43 . 2008-04-25 15:43 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-25 15:36 . 2008-04-25 15:36 <DIR> d-------- C:\Documents and Settings\Roman\Application Data\Grisoft
2008-04-25 15:36 . 2008-04-25 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-25 15:36 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-24 22:55 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-24 22:55 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-24 22:55 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-24 22:55 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-24 22:55 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-24 22:55 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-24 22:55 . 2008-04-24 22:55 1,224 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-24 22:39 . 2008-04-24 22:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 22:08 . 2008-04-24 22:08 <DIR> d-------- C:\Documents and Settings\Roman\Application Data\acccore
2008-04-24 17:01 . 2008-04-24 17:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 23:58 . 2008-04-24 21:17 <DIR> d-------- C:\Documents and Settings\Roman\Application Data\TmpRecentIcons
2008-04-23 21:59 . 2008-04-23 21:59 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-23 21:58 . 2004-02-11 18:27 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2008-04-23 21:58 . 2005-11-18 12:05 78,336 --a------ C:\WINDOWS\system32\drivers\ssi.sys
2008-04-23 21:57 . 2008-04-23 21:57 <DIR> d-------- C:\Documents and Settings\Roman\Application Data\Webroot
2008-04-23 21:57 . 2005-05-20 00:58 356,352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2008-04-23 21:57 . 2003-06-06 10:21 81,920 --a------ C:\WINDOWS\system32\eSellerateControl350.dll
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\WINDOWS\system32\Macromed
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\Symantec
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\Sigmatel
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\Platypus
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\MSECache
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\illiminable
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\directx
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\CONEXANT
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\Program Files\BAE
2008-04-23 21:46 . 2008-04-24 16:37 <DIR> d-------- C:\MDT
2008-04-23 21:46 . 2008-04-23 21:46 <DIR> d-------- C:\33a94a1ccf05d0a4abe400c4
2008-04-23 21:43 . 2008-04-24 19:20 <DIR> d-------- C:\i386
2008-04-23 21:36 . 2008-04-23 21:40 <DIR> d-------- C:\Program Files\SystemErrorFixer
2008-04-23 21:27 . 2008-04-23 21:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-23 19:58 . 2008-04-23 21:40 <DIR> d-------- C:\WINDOWS\privacy_danger(3)
2008-04-23 19:35 . 2008-04-23 19:35 <DIR> d-------- C:\Program Files\Webroot
2008-04-23 18:00 . 2008-04-23 18:00 <DIR> d-------- C:\Documents and Settings\Oksana\Application Data\McAfee
2008-04-23 17:58 . 2008-04-27 12:39 3,632 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-23 15:48 . 2008-04-23 15:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 16:04 . 2008-04-03 16:04 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 19:14 --------- d-----w C:\Program Files\McAfee
2008-04-25 03:39 --------- d-----w C:\Documents and Settings\Roman\Application Data\Apple Computer
2008-04-25 03:06 --------- d-----w C:\Program Files\AIM6
2008-04-25 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-25 00:15 --------- d-----w C:\Program Files\Viewpoint
2008-04-24 02:46 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-04-23 22:45 --------- d-----w C:\Program Files\LimeWire
2008-04-22 23:07 --------- d-----w C:\Program Files\EA GAMES
2008-04-03 21:04 --------- d-----w C:\Program Files\iTunes
2008-04-03 21:03 --------- d-----w C:\Program Files\QuickTime
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-27 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_21.38.51.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 02:34:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 17:33:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-22 23:48:09 38,428 -c--a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
+ 2008-04-25 03:06:02 38,428 -c--a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
- 2008-04-03 21:04:58 102,400 ----a-r C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe
+ 2008-04-25 03:39:44 102,400 ----a-r C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe
- 2006-11-20 11:44:01 135,168 -c--a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-26 17:27:03 135,168 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-06-25 20:54:44 71,496 ----a-w C:\WINDOWS\system32\drivers\mfeavfk.sys
+ 2007-06-25 19:54:44 71,496 ----a-w C:\WINDOWS\system32\drivers\mfeavfk.sys
- 2008-02-06 15:51:44 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
+ 2008-02-06 14:51:44 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
- 2007-03-02 20:16:52 109,608 ----a-w C:\WINDOWS\system32\drivers\Mpfp.sys
+ 2007-03-02 19:16:52 109,608 ----a-w C:\WINDOWS\system32\drivers\Mpfp.sys
- 2006-03-03 17:07:02 143,360 ----a-w C:\WINDOWS\system32\dunzip32.dll
+ 2006-03-03 16:07:02 143,360 ----a-w C:\WINDOWS\system32\dunzip32.dll
- 2008-04-09 20:45:44 291,680 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-26 18:10:36 288,496 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-27 17:34:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-22 19:03 67128]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Aim6"="" []
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [2007-01-17 18:02 95784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-11-18 12:05]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 0217151209237418mcinstcleanup;McAfee Application Installer Cleanup (0217151209237418);C:\DOCUME~1\Solomiya\LOCALS~1\Temp\021715~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96982c00-88a8-11db-8b04-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - 0217151209237418MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 01:16:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-03-06 23:38:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-11 02:05:45 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 13:12:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-27 13:15:40
ComboFix-quarantined-files.txt 2008-04-27 18:14:36
ComboFix2.txt 2008-04-25 03:27:02
ComboFix3.txt 2008-04-25 02:39:11

Pre-Run: 86,489,812,992 bytes free
Post-Run: 86,477,430,784 bytes free

179 --- E O F --- 2008-04-22 20:47:18

[sarahw]

Could you please list what security products you are using.
Also, when you pres Ctrl Alt Del to open Task Manager, do you get any error messages?
Any other error messages you get when opening things?

[lifeisabeach2191]

I am using McAffee, trial version of Spy Sweeper, and AVG.
The task manager seems to be working now and doesn't give me any more error messages although I didn't change any settings or anything.
However, the Dell MediaDirect still doesn't open.

[sarahw]

What happens when you try to open it?