Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware/ Hijacked? [RESOLVED]


  • This topic is locked This topic is locked

#16
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
It fixed it.
Next,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

Advertisements


#17
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
After run Install one of these good Antivirus Softwares

Anti-virus is a necessity this days.
Please choose one from these free Anti-Virus softwares.

Note: Installing more than one anti-virus software can lead to system hang ups and conflicts, providing less protection, not more!.

INSTALL
Then
UPDATE


  • 0

#18
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
----------- ComboFix Report -------------

ComboFix 08-07-03.5 - Apie Della 2008-07-04 11:34:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.259 [GMT -4:00]
Running from: C:\Documents and Settings\Apie Della\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\download
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\libbz2.dll
C:\WINDOWS\system32\aYY4fb.syz
C:\WINDOWS\system32\CsMMEW.syz
C:\WINDOWS\system32\dait8c.syz
C:\WINDOWS\system32\eJCYkR.syz
C:\WINDOWS\system32\Evr2vT.syz
C:\WINDOWS\system32\fyufMB.syz
C:\WINDOWS\system32\KzmsdA.syz
C:\WINDOWS\system32\Ma3EHO.syz
C:\WINDOWS\system32\n7MtEu.syz
C:\WINDOWS\system32\Nwb8ik.syz
C:\WINDOWS\system32\qWONCk.syz
C:\WINDOWS\system32\vXxO2a.syz
C:\WINDOWS\system32\WkMsIw.syz

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-02 22:00 . 2008-07-02 22:00 250 --a------ C:\WINDOWS\gmer.ini
2008-07-02 20:00 . 2008-07-02 20:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-02 19:56 . 2008-07-02 20:11 <DIR> d-------- C:\SDFix
2008-07-02 19:45 . 2008-07-02 19:45 <DIR> d-------- C:\VundoFix Backups
2008-07-01 22:55 . 2008-07-01 22:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-01 22:55 . 2008-07-01 22:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 22:55 . 2008-07-01 22:55 <DIR> d-------- C:\Documents and Settings\Apie Della\Application Data\SUPERAntiSpyware.com
2008-07-01 22:55 . 2008-07-01 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-01 22:36 . 2008-07-01 22:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-01 22:36 . 2008-07-01 22:36 <DIR> d-------- C:\Documents and Settings\Apie Della\Application Data\Malwarebytes
2008-07-01 22:36 . 2008-07-01 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-01 22:36 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-01 22:36 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-21 22:21 . 2008-06-21 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-21 22:16 . 2008-06-21 22:16 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-06-21 22:15 . 2008-06-21 22:15 <DIR> d-------- C:\Program Files\Bonjour
2008-06-21 22:09 . 2008-06-21 22:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-21 15:15 . 2008-06-12 20:55 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-06-21 15:05 . 2008-06-22 01:18 <DIR> d-------- C:\Program Files\PDF Suite
2008-06-21 14:57 . 2008-06-21 14:57 279 --a------ C:\WINDOWS\PowerReg.dat
2008-06-21 14:28 . 2008-06-21 14:28 <DIR> d-------- C:\Program Files\Pando Networks
2008-06-21 13:32 . 2008-06-21 13:32 <DIR> d-------- C:\Program Files\Google
2008-06-21 11:48 . 2005-11-10 14:03 49,265 --a------ C:\WINDOWS\SYSTEM32\jpicpl32.cpl
2008-06-21 11:44 . 2008-06-21 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-12 20:55 . 2008-06-21 18:08 <DIR> d-------- C:\Documents and Settings\Apie Della\.housecall6.6
2008-06-11 23:20 . 2008-06-11 23:20 <DIR> d-------- C:\Program Files\Ares
2008-06-10 18:46 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-10 18:46 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 03:36 --------- d-----w C:\Program Files\WebHost
2008-06-26 02:05 --------- d-----w C:\Documents and Settings\Apie Della\Application Data\AdobeUM
2008-06-25 21:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-25 21:51 --------- d-----w C:\Program Files\Modem On Hold
2008-06-25 21:51 --------- d-----w C:\Program Files\Modem Helper
2008-06-25 21:51 --------- d-----w C:\Program Files\AIM95
2008-06-22 02:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-22 01:27 --------- d-----w C:\Program Files\Trend Micro
2008-06-21 23:11 --------- d-----w C:\Program Files\XoftSpy
2008-06-21 19:29 --------- d-----w C:\Program Files\ewido anti-malware
2008-06-21 16:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-21 15:48 --------- d-----w C:\Program Files\Java
2008-06-21 15:45 --------- d-----w C:\Program Files\Canon
2008-06-21 15:44 --------- d-----w C:\Documents and Settings\Apie Della\Application Data\Canon
2008-06-16 23:37 --------- d-----w C:\Program Files\FYE Download Zone
2008-06-01 03:48 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-31 15:32 --------- d-----w C:\Documents and Settings\Apie Della\Application Data\NewSoft
2008-05-31 14:58 --------- d-----w C:\Program Files\NewSoft
2008-05-31 14:58 --------- d-----w C:\Program Files\Common Files\PDFView
2008-05-31 14:58 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-05-31 14:54 --------- d-----w C:\Program Files\ScanSoft
2008-05-31 14:54 --------- d-----w C:\Documents and Settings\Apie Della\Application Data\ScanSoft
2008-05-31 14:51 --------- d-----w C:\Program Files\Common Files\CANON
2008-05-31 14:48 --------- d--h--w C:\Program Files\CanonBJ
2008-05-31 14:48 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-21 07:04 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2008-04-21 07:03 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2008-04-21 07:03 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2008-04-21 07:03 1,023,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-08 14:17 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-13 11:00 700416]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 14:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54 57344]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 03:01 86016]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"HostManager"="C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59 124520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 21:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 08:35 20480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-30 19:50:10 113664]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2006-05-30 19:46:37 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NSVI"= NSVIDEO.DLL
"VIDC.JPEG"= JpegCode.dll
"VIDC.MJPG"= JpegCode.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 09:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Voodoo\\voodoo.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Voodoo\\Copy of voodoo.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Voodoo\\update.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147154521\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147154521\\ee\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56816:TCP"= 56816:TCP:Pando P2P TCP Listening Port
"56816:UDP"= 56816:UDP:Pando P2P UDP Listening Port

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 07:12]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2005-12-14 03:13:07 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Walgreens PhotoShow Media Manager - C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
HKLM-Run-NoteBurner - C:\Program Files\NoteBurner\VTBurnerGUI.exe
HKLM-Run-PDFServiceEngine - C:\Program Files\PDF Suite\PDFServiceEngine.exe
MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-mmtask - C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-RealTray - C:\Program Files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-VirusScan Online - c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 11:37:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 11:37:45
ComboFix-quarantined-files.txt 2008-07-04 15:37:39

Pre-Run: 31,836,651,520 bytes free
Post-Run: 32,156,872,704 bytes free

204 --- E O F --- 2008-07-02 04:01:46


------------------ New HijackThis Log ---------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:16 AM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133676649750
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.ai...AIM.9.5.1.8.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7746 bytes

  • 0

#19
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Also, I've chosen Avast and I ran the reboot scan. I hope this was a good choice. I had AVG in the past but thought I would try something different. Plus I read over the protection Avast provided and it looked beneficial. Anywho... It found the same syz files that Combo found and I'm not sure if it showed on any of the other logs but looks like it picked up an exe this time as well. I chose to Delete All. I hope that was okay. Attached is the report for what it deleted.

I have a few questions if you don't mind.

Which programs that you've had me download and run over the past few days can I remove from my system? Or should I keep some of them for security measures?

I just purchased a external harddrive. Since I noticed some issues with my system I waited to hook it up for worry of spreading something to the drive. Once I've been cleared of these trojans and such would it be okay to install the drive?

Lastly, where can I go to donate? I don't have much but I really do appreciated all of your help and would like to donate what I can. That is ... if its safe to donate now? Hehe.

Many thanks!!!

------------------- Avast Boot Log ----------------------

07/04/2008 11:53
Scan of all local drives

File C:\QooBox\Quarantine\C\WINDOWS\libbz2.dll.vir is infected by Win32:Adware-gen [Adw], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aYY4fb.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\CsMMEW.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dait8c.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\eJCYkR.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\Evr2vT.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fyufMB.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\KzmsdA.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\Ma3EHO.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\n7MtEu.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\Nwb8ik.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qWONCk.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vXxO2a.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\WkMsIw.syz.vir is infected by Win32:Agent-TKS [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP586\A0040690.exe is infected by Win32:VB-QM [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP586\A0040692.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP620\A0044790.dll is infected by Win32:Adware-gen [Adw], Deleted
Number of searched folders: 7523
Number of tested files: 83894
Number of infected files: 17
  • 0

#20
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Let's finish with the clean up first then we'll address other issues later. :)

Next,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.
Close HiJackThis.

Then,

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\Temp\bca4e2da.$$$
    C:\WINDOWS\Temp\fa56d7ec.$$$
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Finally,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then, please do an online scan with Kaspersky WebScanner

Temporarily disable your resident Antivirus software before proceeding.

Welcome Information page will open. Click on Accept
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded, click on Scan
    • Now under that section select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Enable you Anti-Virus protection once scan is done.

Logs requied on next post.
- Kaspersky log
- New HijackThis log
  • 0

#21
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
----------- Kaspersky Log ---------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 04, 2008 20:42:32
Records in database: 913699
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 76159
Threat name: 7
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 01:00:59


File name / Threat name / Threats count
C:\Documents and Settings\Apie Della\.housecall6.6\Quarantine\57387e23-6753d3d4.bac_a01296 Infected: Trojan-Downloader.Java.OpenStream.y 1
C:\Documents and Settings\Apie Della\.housecall6.6\Quarantine\GS2.exe.bac_a01296 Infected: Trojan-Dropper.Win32.VB.kk 1
C:\Documents and Settings\Apie Della\.housecall6.6\Quarantine\VB1.exe.bac_a01296 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j 1
C:\Documents and Settings\Apie Della\.housecall6.6\Quarantine\ventcc.exe.bac_a01296 Infected: not-a-virus:AdWare.Win32.BookedSpace.e 1
C:\Documents and Settings\Apie Della\Desktop\0Favorites0\Guards\Protectors\aproposfix\backups\backups.zip Infected: Packed.Win32.NSAnti.r 4
C:\Documents and Settings\Apie Della\Desktop\0Favorites0\Guards\Protectors\aproposfix\backups\backups.zip Infected: Trojan.Win32.Crypt.t 2
C:\Documents and Settings\Apie Della\Desktop\0Favorites0\Guards\Protectors\aproposfix\backups\backups.zip Infected: Rootkit.Win32.SMA.gen 1

The selected area was scanned.



------------------- New HijackThis Log -------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:57 AM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133676649750
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.ai...AIM.9.5.1.8.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8245 bytes



-------------- OT MoveIT Report --------------

File/Folder C:\WINDOWS\Temp\bca4e2da.$$$ not found.
File/Folder C:\WINDOWS\Temp\fa56d7ec.$$$ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07042008_225127

  • 0

#22
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Congratulations, your log is clean! :)
We have a couple of last steps to perform and then you're all set.


First,

Download OTCleanit then save it to your Desktop.
  • Double-click on OTCleanIt.exe to run
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You may be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Next, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Then, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you don't have one yet, you should install a good firewall. Here are 3 free ones available for personal use:
and a good antivirus (these are also free for personal use):
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To keep your operating system up to date visit
monthly.
To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Goodluck! :)
  • 0

#23
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts

Which programs that you've had me download and run over the past few days can I remove from my system? Or should I keep some of them for security measures?


You can remove MalwareBytes and SuperAntispyware via Add/Remove in your Control panel but you can also keep them as on demand scanners.

The rest of the tools will be removed when you run OTcleanit.


I just purchased a external harddrive. Since I noticed some issues with my system I waited to hook it up for worry of spreading something to the drive. Once I've been cleared of these trojans and such would it be okay to install the drive?


You can but make sure you scan the whole drive first using AVAST and Antispyware software. Ewido is ok as you're still able to update its definitions.


Lastly, where can I go to donate? I don't have much but I really do appreciated all of your help and would like to donate what I can. That is ... if its safe to donate now? Hehe.


You can click this link http://www.geekstogo...ation-t132.html for more info.

Anything else?

Edited by koko_crunch, 04 July 2008 - 11:17 PM.

  • 0

#24
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you soooo much KoKo Crunch!!!!!!!!!! You're amazing! :)

All of your help is greatly appreciated! ::hugs::
  • 0

#25
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP