Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I cannot reinstall Yahoo Instant Messenger and need it for my job [RES

Started by medt , Apr 30 2008 08:35 AM

  • This topic is locked This topic is locked

#1
medt
Posted 30 April 2008 - 08:35 AM

medt

    Member

  • Member
  • PipPip
  • 77 posts
Ever since I had spyware removed from my computer a few weeks ago my yahoo instant messenger had been acting up. I did an uninstall and now when I do a reinstall it will not do it. Please if anyone can help that would greatly be appreciated. I am a medical transcriptionist and rely on this to communicate with my boss. THANKS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:59 AM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7367 bytes
  • 0

Advertisements

#2
kahdah
Posted 30 April 2008 - 10:11 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello medt

Welcome to G2Go. :)
=====================
Let's take a deeper look to see if anything is present.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
medt
Posted 30 April 2008 - 03:49 PM

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Okay here is ComboFix and the HiJackThis Logs. Thank you for your time!

ComboFix 08-04-26.3 - Owner 2008-04-30 17:26:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\licencia.txt
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 17:23 . 2008-04-30 17:23 67 --a------ C:\NtfA.tmp
2008-04-30 17:23 . 2008-04-30 17:23 67 --a------ C:\Ntf9.tmp
2008-04-30 10:50 . 2008-04-30 10:50 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-30 09:13 . 2008-04-30 09:14 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-04-29 15:16 . 2008-04-29 15:16 <DIR> d-------- C:\Program Files\Avery Dennison
2008-04-29 15:15 . 2008-04-29 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avery
2008-04-25 08:13 . 2008-04-25 08:13 <DIR> d-------- C:\Program Files\CCleaner
2008-04-16 19:22 . 2008-04-29 21:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-14 21:52 . 2008-04-14 21:52 67 --a------ C:\Ntf8.tmp
2008-04-14 21:52 . 2008-04-14 21:52 67 --a------ C:\Ntf7.tmp
2008-04-13 20:50 . 2008-04-13 20:50 67 --a------ C:\Ntf6.tmp
2008-04-13 20:50 . 2008-04-13 20:50 67 --a------ C:\Ntf5.tmp
2008-04-12 20:25 . 2008-04-12 20:25 67 --a------ C:\Ntf4.tmp
2008-04-12 20:25 . 2008-04-12 20:25 67 --a------ C:\Ntf3.tmp
2008-04-12 11:10 . 2008-04-13 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 09:58 . 2008-04-12 09:58 67 --a------ C:\Ntf2.tmp
2008-04-12 09:58 . 2008-04-12 09:58 67 --a------ C:\Ntf1.tmp
2008-04-12 09:13 . 2008-04-12 09:14 110,831,532 --a------ C:\registrybackup.reg
2008-04-11 10:11 . 2008-04-11 10:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-11 10:09 . 2008-04-11 10:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 16:50 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-08 16:50 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-08 15:25 . 2008-04-08 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-08 13:55 . 2008-04-10 18:29 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-08 13:05 . 2008-04-30 04:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-08 13:04 . 2008-04-08 13:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-08 13:04 . 2008-04-08 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 08:10 . 2008-04-14 11:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-07 11:10 . 2008-04-15 20:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-07 00:46 . 2008-04-07 00:46 3,428 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-06 18:38 . 2008-04-08 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-06 17:17 . 2007-03-29 08:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-06 17:17 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-04-06 17:09 . 2008-04-06 17:09 <DIR> d-------- C:\3c0fc6caaa617172e2cfdd098e
2008-04-06 10:24 . 2008-04-06 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-05 22:46 . 2008-04-12 09:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-05 22:46 . 2008-04-05 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 15:05 . 2001-08-23 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-04 21:59 . 2008-04-04 21:59 3,262 --a------ C:\WINDOWS\favicon.ico
2008-03-28 16:09 . 2007-03-08 00:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-03-28 16:09 . 2007-03-08 00:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-03-28 16:08 . 2008-03-28 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-03-28 16:05 . 2007-05-02 06:03 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-03-28 16:04 . 2007-03-15 15:32 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-03-28 16:03 . 2007-03-08 00:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-03-28 15:56 . 2007-05-02 04:56 954,368 -ra------ C:\WINDOWS\system32\hpotiop5.dll
2008-03-28 15:56 . 2007-05-02 05:01 675,840 -ra------ C:\WINDOWS\system32\hpowiax5.dll
2008-03-28 15:56 . 2007-03-08 00:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-03-28 15:56 . 2007-03-08 00:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-03-28 15:56 . 2007-05-02 05:00 303,104 -ra------ C:\WINDOWS\system32\hpovst12.dll
2008-03-28 15:46 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-28 15:46 . 2004-08-04 02:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-20 13:35 . 2008-03-20 13:37 <DIR> d-------- C:\Program Files\Emdat
2008-03-19 18:55 . 2008-03-19 18:55 <DIR> d-------- C:\Program Files\eScription
2008-03-19 18:53 . 2008-03-19 18:53 <DIR> d-------- C:\EditScriptMSILogs
2008-03-19 18:51 . 2008-03-19 18:51 <DIR> d-------- C:\Documents and Settings\Owner\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 13:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-30 01:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-29 22:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-04-29 19:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 12:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-12 15:10 --------- d-----w C:\Program Files\Lavasoft
2008-04-03 13:53 --------- d-----w C:\Program Files\QLEDR05
2008-03-31 09:16 --------- d-----w C:\Program Files\AIM6
2008-03-31 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-31 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-20 21:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\Internet Explorer
2008-03-20 21:34 --------- d-----w C:\Program Files\GoldPocket
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 19:30 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-03-07 02:14 --------- d-----w C:\Program Files\Java
2008-02-29 18:20 92,464 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2006-06-12 14:44 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-08-31 19:33 32 --sha-w C:\WINDOWS\{567E7211-6D64-4C22-A829-C17F03F58257}.dat
2003-08-28 12:32 32 --sha-w C:\WINDOWS\{DD873066-2B14-49AB-86D8-F895ABD1AF85}.dat
2003-08-28 12:32 32 --sha-w C:\WINDOWS\system32\{5CE9ABEA-F241-4815-91A6-306832FBAEA5}.dat
2003-08-31 19:33 32 --sha-w C:\WINDOWS\system32\{AF9B2B6F-5424-49AB-8D25-94F7D34E018B}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 03:39 548933 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NvCplDaemon"="NvQTwk" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 17:05 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-08 13:04 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-01-14 19:35:56 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.nvsadpcm"= nvsadpcm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp instant support.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
--a------ 2006-07-14 16:36 107008 C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 23:19:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-30 10:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 17:34:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\vmdesched.sys 7168 bytes executable
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 41023 bytes executable


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\vmdesched.sys"
.
Completion time: 2008-04-30 17:46:35
ComboFix-quarantined-files.txt 2008-04-30 21:45:31

Pre-Run: 88,214,085,632 bytes free
Post-Run: 88,199,454,720 bytes free

181 --- E O F --- 2008-04-30 13:48:42




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:17 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7343 bytes
  • 0

#4
kahdah
Posted 30 April 2008 - 06:47 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\WINDOWS\{567E7211-6D64-4C22-A829-C17F03F58257}.dat
C:\WINDOWS\{DD873066-2B14-49AB-86D8-F895ABD1AF85}.dat
C:\WINDOWS\system32\{5CE9ABEA-F241-4815-91A6-306832FBAEA5}.dat
C:\WINDOWS\system32\{AF9B2B6F-5424-49AB-8D25-94F7D34E018B}.dat

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
==================================================================
ALso let me know how things are running?
  • 0

#5
medt
Posted 30 April 2008 - 07:12 PM

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
I am using Mozilla to access internet, as IE 6.0 just is not cutting it anymore and keeps messing up and not showing pictures, etc. Yahoo instant messenger is on my system now, but when I log in I keep getting reference errors from yahoo application manager and it shuts it down completely. Okay this is what is coming up:

This is for first one: File _567E7211-6D64-4C22-A829-C17F03F5 received on 05.01.2008 03:02:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/31 (3.23%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.5.1.0 2008.04.30 -
AntiVir 7.8.0.11 2008.04.30 -
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 -
BitDefender 7.2 2008.05.01 -
CAT-QuickHeal 9.50 2008.04.30 -
ClamAV 0.92.1 2008.05.01 -
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5747 2008.04.30 -
Ewido 4.0 2008.04.30 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.04.30 -
Fortinet 3.14.0.0 2008.04.30 -
Ikarus T3.1.1.26 2008.05.01 -
Kaspersky 7.0.0.125 2008.05.01 -
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3067 2008.04.30 -
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.05.01 -
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.05.01 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0
Additional information
File size: 32 bytes
MD5...: b1f1d1abc81d290ffe07e409ff05ed2c
SHA1..: 2ffeed33ea9c8d2af6b0273016727407048d8f90
SHA256: 113f6a8d310694400090e2b02e2587e2f33809eb0b37c07a10324d3e5c37c697
SHA512: 3b89416da336b22029ea773317e1119cf02cffdfcd915840f93b54972539b5c5
e3026a5e1326ec4b90be17e1a98c7e90f82edce2e1e7c71aaac0539a8ff659dc
PEiD..: -
PEInfo: -


Second one: C:\WINDOWS\{DD873066-2B14-49AB-86D8-F895ABD1AF85}.dat

Antivirus Version Last Update Result
AhnLab-V3 2008.5.1.0 2008.04.30 -
AntiVir 7.8.0.11 2008.04.30 -
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 -
BitDefender 7.2 2008.05.01 -
CAT-QuickHeal 9.50 2008.04.30 -
ClamAV 0.92.1 2008.05.01 -
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5749 2008.04.30 -
Ewido 4.0 2008.04.30 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.04.30 -
Fortinet 3.14.0.0 2008.04.30 -
Ikarus T3.1.1.26 2008.05.01 -
Kaspersky 7.0.0.125 2008.05.01 -
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3067 2008.04.30 -
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.05.01 -
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.05.01 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0
Additional information
File size: 32 bytes
MD5...: 2bf74bd4d22911fec216368e23eefba7
SHA1..: 88f7d2fe8fd66cdf52c2841285a6f738a57fe7d1
SHA256: c9e0565bc587f4bd2d3cc339c26b5c91006fc27e7f62968af4883ed4c65465d5
SHA512: 668ff9c8dd1e39bae467743cf468345c9e0ff073ad1816f25cd501b93f677750
bb3b53ebdc793ebc3ae79f1e9f5f46bd38c704087c7e178cd969dcf1dcc05ad0
PEiD..: -
PEInfo: -

Third one: C:\WINDOWS\system32\{5CE9ABEA-F241-4815-91A6-306832FBAEA5}.dat

Antivirus Version Last Update Result
AhnLab-V3 2008.5.1.0 2008.04.30 -
AntiVir 7.8.0.11 2008.04.30 -
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 -
BitDefender 7.2 2008.05.01 -
CAT-QuickHeal 9.50 2008.04.30 -
ClamAV 0.92.1 2008.05.01 -
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5749 2008.04.30 -
Ewido 4.0 2008.04.30 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.04.30 -
FileAdvisor 1 2008.05.01 -
Fortinet 3.14.0.0 2008.04.30 -
Ikarus T3.1.1.26.0 2008.05.01 -
Kaspersky 7.0.0.125 2008.05.01 -
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3067 2008.04.30 -
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.05.01 -
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.05.01 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0
Additional information
File size: 32 bytes
MD5...: 482deebef82f8ba4be2c7feb3ec3a3b3
SHA1..: 54bcfe5801719b3a8e7bc7fadd32cda6363aa448
SHA256: d101dd1f854d83da22ab6f651f87666ca03102770e727656056eb185665ac534
SHA512: 80e255062d0bb31db2d06ad94e26676f0e908f4a92f3ddc107699a21a8fdcdce
9e44d6dfbfa35298faee7cb2265808ef42d1e13ab450e4c41be2bed73a618cae
PEiD..: -
PEInfo: -


Fourth one: C:\WINDOWS\system32\{AF9B2B6F-5424-49AB-8D25-94F7D34E018B}.dat

Antivirus Version Last Update Result
AhnLab-V3 2008.5.1.0 2008.04.30 -
AntiVir 7.8.0.11 2008.04.30 -
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 -
BitDefender 7.2 2008.05.01 -
CAT-QuickHeal 9.50 2008.04.30 -
ClamAV 0.92.1 2008.05.01 -
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5749 2008.04.30 -
Ewido 4.0 2008.04.30 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.04.30 -
FileAdvisor 1 2008.05.01 -
Fortinet 3.14.0.0 2008.04.30 -
Ikarus T3.1.1.26.0 2008.05.01 -
Kaspersky 7.0.0.125 2008.05.01 -
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3067 2008.04.30 -
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.05.01 -
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.05.01 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0
Additional information
File size: 32 bytes
MD5...: dc82fd258fce84937a5b46189309d61a
SHA1..: 1611a122e8ffd17afb9fa6506f82e3273fdc499d
SHA256: a9be2e642f990162379141ef4db3e0f4aabd0fa117ec19498f900812c3224511
SHA512: 92adeb6af529d7d90ee0ca04cd454fbb9b57f100d6df8f9da8a54e3826c99fa4
6b1ff86cec0da9f63d2066c7cb71de698c3081550583579945cfd7ba7bd6b6f2
PEiD..: -
PEInfo: -
  • 0

#6
kahdah
Posted 01 May 2008 - 02:44 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please update MalwareBytes Antimalware and run it please remove all tems found and post the log please.
  • 0

#7
medt
Posted 01 May 2008 - 06:13 AM

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
I am not sure if I have that MalwareBytes on my computer. I found a folder that said it was there, but it is empty, so I tried to download a copy and it keeps saying the MSI Much be launched through setup and something about Norton 360. I do not know what to do. THANKS
  • 0

#8
kahdah
Posted 01 May 2008 - 10:08 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download SUPERAntiSpyware Home Edition (free version).
–Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Scan for Alternate Data streams
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.

Then run Superantispyware.
  • Double click on the icon to start Superantispyware.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
1. To retrieve the removal information for me please do the following:
2. After reboot, double-click the SUPERAntispyware icon on your desktop.
3. Click Preferences. Click the Statistics/Logs tab.
4. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
5. It will open in your default text editor (such as Notepad/Wordpad).
6. Please highlight everything in the notepad, then right-click and choose copy.
7. Click close and close again to exit the program.
Save the log information. If needed (still infected) paste this info along with your HijackThis log.
  • 0

#9
medt
Posted 01 May 2008 - 01:34 PM

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Okay here are the logs. My yahoo instant messenger is working now. The only problem I am still having is IE 6.0. It will open some websites and some it will not and when I go to edit my personal website www.touchofrosspottery.com the pictures will not show up for me to edit. I can get it to work fine though using Mozilla.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/01/2008 at 03:11 PM

Application Version : 4.0.1154

Core Rules Database Version : 3451
Trace Rules Database Version: 1443

Scan type : Complete Scan
Total Scan Time : 02:09:15

Memory items scanned : 378
Memory threats detected : 0
Registry items scanned : 6299
Registry threats detected : 0
File items scanned : 153258
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[1].txt
C:\Documents and Settings\Owner\Cookies\owner@12991[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt


HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:53 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7561 bytes
  • 0

#10
kahdah
Posted 01 May 2008 - 06:56 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try to install a flash update.
you can do that by going to this website > http://www.adobe.com.../downloads.html
Hopefully that may help.
=================
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

Also delete\uninstall anything that we used that is left over.
=============================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0

#11
medt
Posted 01 May 2008 - 07:06 PM

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Thank you so much for your time and getting me back on track! :)
  • 0

#12
kahdah
Posted 01 May 2008 - 07:53 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#13
kahdah
Posted 01 May 2008 - 07:53 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP