Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spywarequake, Active X, browsers forced to close after a moment up(IE


  • This topic is locked This topic is locked

#1
michelle13

michelle13

    New Member

  • Member
  • Pip
  • 9 posts
i downloaded hijackthis.. went thru my add/remove programs to make sure no unwanted programs were downloaded. now have run this: http://www.outerinfo...Uninstaller.exe and it did say after i re-boot things would be removed (haven't re-boot yet).. i printed out the instructions as suggested.

attached you'll find my hijackthis log & startuplist



**the hijackthis log did not attach.. <<<<Attachment space used 5.72K of 500K>>>

Attached Files


Edited by michelle13, 03 May 2008 - 12:17 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Run a new HijackThis scan. Copy & paste the log here instead of attaching it.
  • 0

#3
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ok.. had to leave for a few.. once i got back Malwarebytes' Anti-Malware completed it's scanning & found nothing. As you told me above, i ran ComboFix.. the log is below

ComboFix 08-05-01.3 - Scott Drummond 2008-05-03 17:23:50.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.147 [GMT -4:00]
Running from: C:\Documents and Settings\Scott Drummond\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\start.exe
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-03 17:23 . 2008-05-03 17:23 1,024 --ah----- C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
2008-05-03 14:29 . 2008-05-03 14:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-03 14:29 . 2008-05-03 14:29 <DIR> d-------- C:\Documents and Settings\Scott Drummond\Application Data\Malwarebytes
2008-05-03 14:29 . 2008-05-03 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 14:28 . 2008-05-03 14:28 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-03 13:06 . 2008-05-03 13:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-03 13:04 . 2008-05-03 13:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-03 12:19 . 2008-05-03 12:19 0 --a------ C:\WINDOWS\SYSTEM32\SDRemoveDB.db
2008-05-03 12:14 . 2008-04-15 10:29 12,752 --a------ C:\WINDOWS\SYSTEM32\SDEarlyDelete.exe
2008-05-03 12:14 . 2008-05-03 12:14 110 --a------ C:\WINDOWS\SYSTEM32\SDEarlyDelete.ini
2008-05-03 12:14 . 2008-05-03 12:14 63 --a------ C:\WINDOWS\SYSTEM\SysSD.dll
2008-05-03 12:12 . 2008-05-03 12:12 <DIR> d-------- C:\Program Files\SpywareDetector
2008-05-03 12:12 . 2008-04-24 11:48 839,680 --a------ C:\WINDOWS\SYSTEM32\CheckDll.dll
2008-05-03 11:02 . 2008-05-03 11:02 <DIR> d-------- C:\Documents and Settings\Scott Drummond\Application Data\iolo
2008-05-03 11:02 . 2008-05-03 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-05-03 11:02 . 2008-05-03 11:02 406 --a------ C:\WINDOWS\SYSTEM32\ioloBootDefrag.cfg
2008-04-29 19:06 . 2008-04-29 19:06 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-29 19:06 . 2005-10-20 21:47 30,592 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2008-04-29 19:06 . 2005-10-20 21:47 12,800 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2008-04-29 19:05 . 2008-04-29 19:05 <DIR> d-------- C:\Program Files\Windows Mobile Device Handbook
2008-04-21 21:47 . 2008-04-21 21:47 <DIR> d-------- C:\Documents and Settings\Scott Drummond\Application Data\Move Networks
2008-04-19 21:25 . 2008-04-19 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-19 19:22 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\SYSTEM32\xactengine3_0.dll
2008-04-19 19:22 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\SYSTEM32\X3DAudio1_3.dll
2008-04-19 19:20 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2008-04-13 12:15 . 2008-04-13 12:15 <DIR> d-------- C:\Documents and Settings\Maranda\Application Data\MySpace
2008-04-06 12:56 . 2008-04-06 12:56 <DIR> d-------- C:\Documents and Settings\Scott Drummond\Application Data\ApplicationHistory
2008-04-06 03:54 . 2008-04-06 03:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 03:05 . 2008-04-06 03:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 16:52 . 2008-04-05 16:52 <DIR> d-------- C:\baccb9a0987cc2f8722ee6
2008-04-05 16:52 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-04-05 16:46 . 2008-04-05 16:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTEMP
2008-04-05 15:20 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-05 14:25 . 2008-04-05 14:25 <DIR> d-------- C:\Documents and Settings\Scott Drummond\Apps
2008-04-05 11:46 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-04-05 11:46 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2008-04-05 00:26 . 2008-04-05 00:26 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-04 22:59 . 2008-04-04 22:59 <DIR> d--hs---- C:\FOUND.032

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 21:41 1,426,944 ------w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-13 07:34 1,413,632 ------w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-07 02:18 17,144 ----a-w C:\Documents and Settings\Scott Drummond\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 05:05 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-01 04:29 --------- d-----w C:\Program Files\Google
2008-03-31 03:42 --------- d-----w C:\Program Files\MSBuild
2008-03-31 03:29 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-30 05:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-30 05:49 --------- d-----w C:\Documents and Settings\Scott Drummond\Application Data\Azureus
2008-03-30 05:41 --------- d-----w C:\Program Files\Azureus(2)
2008-03-29 19:58 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-29 19:58 --------- d-----w C:\Documents and Settings\Scott Drummond\Application Data\SUPERAntiSpyware.com
2008-03-29 16:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-29 16:50 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-29 16:07 --------- d-----w C:\Program Files\Windows Live
2008-03-29 16:07 --------- d-----w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-29 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-29 08:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-29 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-27 00:24 --------- d-----w C:\Program Files\Security Task Manager
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k(2)(2).sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-16 22:11 --------- d-----w C:\Documents and Settings\Scott Drummond\Application Data\ZoomBrowser EX
2008-03-16 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-16 20:50 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-16 18:33 --------- d--h--w C:\Documents and Settings\Scott Drummond\Application Data\yahoo!
2008-03-15 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-15 18:25 --------- d-----w C:\Program Files\Yahoo!
2008-03-15 17:48 --------- d-----w C:\Documents and Settings\Scott Drummond\Application Data\MySpace
2008-03-15 17:47 --------- d-----w C:\Program Files\MySpace
2008-03-15 00:25 --------- d-----w C:\Program Files\Java
2008-03-15 00:24 --------- d-----w C:\Program Files\Common Files\Java
2008-03-14 05:43 --------- d-----w C:\Program Files\Winamp
2008-03-14 05:43 --------- d-----w C:\Documents and Settings\Scott Drummond\Application Data\Winamp
2008-03-14 03:11 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-12 23:58 --------- d-----w C:\Program Files\NoAds
2008-03-12 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 01:59 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-12 00:57 --------- d-----w C:\Documents and Settings\Guest\Application Data\Talkback
2008-03-12 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-11 22:40 --------- d-----w C:\Documents and Settings\Scott Drummond\Application Data\Talkback
2008-03-11 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-05 19:56 3,786,760 ----a-w C:\WINDOWS\SYSTEM32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\WINDOWS\SYSTEM32\D3DCompiler_37.dll
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32(2)(2).dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr(2)(2).dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi(2)(2).dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2008-02-06 03:07 462,864 ----a-w C:\WINDOWS\SYSTEM32\d3dx10_37.dll
2007-11-16 22:08 271 --sh--w C:\Program Files\desktop.ini
2007-11-16 22:08 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2008-03-12 19:58 151552]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-19 21:25 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"PDUiP6220DMon"="C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe" [2005-05-06 18:17 69632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 21:39 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2008-04-16 17:52 2090448]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2008-04-24 10:55 1598928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-11 20:18 219136]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-19 21:25:27 124400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2008-04-16 17:04 446464 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"HydarVisionDesktopManager"=desk98.exe
"AtiPTA"=atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2002-08-05 11:17]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

*Newly Created Service* - AAWSERVICE
*Newly Created Service* - CATCHME
*Newly Created Service* - SDSERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 18:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-05-03 21:31:04 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-05-03 21:16:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 17:30:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-03 17:32:46
ComboFix-quarantined-files.txt 2008-05-03 21:32:38

Pre-Run: 97,399,832,576 bytes free
Post-Run: 99,221,667,840 bytes free

204 --- E O F --- 2008-04-19 03:33:01
  • 0

#4
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
and here is the most recent HiJackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:16 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [PDUiP6220DMon] C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1409082233-789336058-1202660629-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Maranda')
O4 - HKUS\S-1-5-21-1409082233-789336058-1202660629-1005\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Maranda')
O4 - HKUS\S-1-5-21-1409082233-789336058-1202660629-501\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 7671 bytes
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete the following:

C:\FOUND.032
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp


I don't see any traces of Spywarequake here. Is it still being detected? If so, run the below scan:

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.

  • 0

#6
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
i wanted to let you guys know that i've re-booted & had no problems since. of course after scanning with Malwarebytes' Anti-Malware, HijackThis, & ComboFix. Prior to this I'd already been using Ad-Aware 2007 (crappy) & SUPERAnti-Spyware Free Edition. However these issues are either present or not. They will happen consistently over & over or not at all. I was reading in another area of threads in reference to what I was having the actual problem with. Of course, I'd submitted my HiJackThis log prior to finding the thread. So.. I'll be loyal to this forum & be sure to check everything out in the case I need help again. BUT, I can't afford to have people come in & fix my pc. It's a luxary.. therefore it must be a DIY
project. Therefore I'll be back I am certain :)

I thank you guys for everything & hope that I can be of help to other's.
  • 0

#7
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
i'm back. i'd written the above before you posted above it. .

after reading what you said to delete (step1) i ran hijackthis again & did not find any of the 3 on the log. went into search my files & did not find the 1st listed above however did find the 2 'Internet Files'.. should i go into regedit to remove those last 2 files or will that create some sort of prob?

sorry to be a pain, i just don't want to delete some .dll i need. that's why you guys are here, right :)
  • 0

#8
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
*I'm not sure if the scan is finished or not.


SmitFraudFix v2.319

Scanning Process...
Scanning hosts...
Scanning C:\...
Scanning C:\WINDOWS\...
Scanning C:\WINDOWS\system...
Scanning C:\WINDOWS\Web...
Scanning C:\WINDOWS\system32...
Scanning C:\WINDOWS\system32\LogFiles...
Scanning C:\Documents and Settings\Scott Drummond...
Scanning C:\Documents and Settings\Scott Drummond\Application Data...
Scanning Start Menu...
Scanning C:\DOCUME~1\SCOTTD~1\FAVORI~1...
Scanning Desktop...
Scanning C:\Program Files...
Scanning corrupted keys
Scanning Desktop Components
Scanning IEDFix
  • 0

#9
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
SCAN COMPLETE (sorry)


SmitFraudFix v2.319

Scan done at 22:32:06.37, Sat 05/03/2008
Run from C:\Documents and Settings\Scott Drummond\Desktop\X\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Scott Drummond


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Scott Drummond\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SCOTTD~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 64.193.0.5
DNS Server Search Order: 64.13.48.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E6C7E81D-707F-47E1-BC4A-A1EBF2417C54}: DhcpNameServer=64.193.0.5 64.13.48.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E6C7E81D-707F-47E1-BC4A-A1EBF2417C54}: DhcpNameServer=64.193.0.5 64.13.48.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E6C7E81D-707F-47E1-BC4A-A1EBF2417C54}: DhcpNameServer=64.193.0.5 64.13.48.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.193.0.5 64.13.48.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=64.193.0.5 64.13.48.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.193.0.5 64.13.48.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#10
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
it seems to be good for now. lots faster. after i'd posted here.. i was lurking around on the forum & found a topic more to the point of my issue. i use Mozilla mostly but had been getting into IE again.. and then it all started messing up. Go figure. i un-installed Ad-Aware 2007 today & re-installed. I'd had issues to where Ad-Aware could not update. continuously erroring out. after todays re-install.. it found over 156 items for removal :) and i have had SUPERAntiSpyware Free Edition for about 2 months. IT rocks!
Most imporantly. Microsoft issued critical security updates for IE7 this evening. Since that point & all that was done today with your humble offerings.. i've got smooth sailing.

I want to thank you for your support & time.
Michelle13

ps i am sure that i'll be back.. as long as i'm in the microsoft environment :)
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\migicons.exe

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#12
michelle13

michelle13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
for whatever reasons a log was created but could not be duplicated. it removed the item.. i remember seeing that yesterday. the migicons.exe.

i thank you again.. i should be okay now.. as long as i do not have Abobe Flash 9xe issues again.. that's what got me in here. for both IE & Mozilla. Mozilla occasionally says must close, Shockwave had an error & IE says "ran into a problem, have to close"..


since last night, still smooooth sailingggg

Thanks!!
Michelle
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem Michelle. Glad the issue is resolved.

If Adobe gives you problems, try reinstalling it to see if it helps.
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP