Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help i am running out of free space

Started by nelsonrh , Jul 23 2008 07:54 AM

  • Please log in to reply

#1
nelsonrh
Posted 23 July 2008 - 07:54 AM

nelsonrh

    New Member

  • Member
  • Pip
  • 4 posts
Help pease,
My computer keeps saying i'm running out of space. I have deleted everything i can think of. I got rid of movies/videos, all downloads, and all music. Still it says i don't have enough space. In fact the red line keeps going up & down. one minute i have 1.98 gb free then all of a sudden i look again and now i only have 1.18 gb freee, and i haven't changed anything. I have followed all your steps; i downloaded the malware & antivirus. the antivirus says there's no infected files, the malware just had registry files infected.....below is the log report after the malware scan...................

Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 6.0.6000

12:16:33 AM 7/21/2008
mbam-log-7-21-2008 (00-16-28).txt

Scan type: Quick Scan
Objects scanned: 35103
Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\fis.amo.1 (Adware.SmartShopper) -> No action taken.
HKEY_CLASSES_ROOT\fis.ohb.1 (Adware.SmartShopper) -> No action taken.
HKEY_CLASSES_ROOT\fis.momo.1 (Adware.SmartShopper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall (Adware.Mirar) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


this is the virus scan results (below)..........................
*
* avast! Report
* This file is generated automatically
*
* Task 'Simple user interface' used
* Started on Wednesday, July 23, 2008 12:31:53 AM
* VPS: 080722-1, 07/22/2008
*

C:\Boot\BCD [E] The process cannot access the file because it is being used by another process (32)
C:\Boot\BCD.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\MSStmp.log [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\AppData\Local\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\AppData\Local\Microsoft\Windows Defender\FileTracker\{7FC83B64-0B16-4690-8CB6-1DC36DED776F} [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\AppData\Local\Temp\hsperfdata_sr20cars\1788 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\sr20cars\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\pagefile.sys [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb [E] The process cannot access the file because it is being used by another process (32)
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb [E] The process cannot access the file because it is being used by another process (32)
C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{a2e1043e-585b-11dd-9a63-00114377e83e}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log [E] The process cannot access the file because it is being used by another process (32)
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSStmp.log [E] The process cannot access the file because it is being used by another process (32)
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb [E] The process cannot access the file because it is being used by another process (32)
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Application Data\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Application Data\Microsoft\Windows\UsrClass.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Application Data\Microsoft\Windows\UsrClass.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Application Data\Microsoft\Windows Defender\FileTracker\{7FC83B64-0B16-4690-8CB6-1DC36DED776F} [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Application Data\Temp\hsperfdata_sr20cars\1788 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Application Data\Temp\IM\MSGB3BE.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Microsoft\Windows Defender\FileTracker\{7FC83B64-0B16-4690-8CB6-1DC36DED776F} [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Temp\hsperfdata_sr20cars\1788 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\AppData\Local\Temp\IM\MSGB3BE.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\Local Settings\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\Local Settings\Microsoft\Windows\UsrClass.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\Local Settings\Microsoft\Windows\UsrClass.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\Local Settings\Microsoft\Windows Defender\FileTracker\{7FC83B64-0B16-4690-8CB6-1DC36DED776F} [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\Local Settings\Temp\hsperfdata_sr20cars\1788 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\Local Settings\Temp\IM\MSGB3BE.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\sr20cars\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun-2B-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\SoftwareDistribution\EventCache\{8A34729A-093E-49C3-9FE5-8C8381C8FAA5}.bin [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2\edb.log [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\COMPONENTS [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\COMPONENTS.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\COMPONENTS.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\DEFAULT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\DEFAULT.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\DEFAULT.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\COMPONENTS [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\DEFAULT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SAM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SECURITY [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SOFTWARE [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SYSTEM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SAM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SAM.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SAM.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SECURITY [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SECURITY.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SECURITY.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SOFTWARE [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SOFTWARE.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SOFTWARE.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SYSTEM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SYSTEM.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SYSTEM.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\drivers\sptd.sys [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [E] Access is denied (5)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [E] Access is denied (5)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [E] Access is denied (5)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [E] Access is denied (5)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl [E] Access is denied (5)
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\Temp\TMP0000004ED093F832B9671463 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\Temp\_avast4_\Webshlock.txt [E] The process cannot access the file because it is being used by another process (32)
Infected files: 0
Total files: 182903
Total folders: 20440
Total size: 109.7 GB

*
* Task stopped: Wednesday, July 23, 2008 6:42:36 AM
* Run-time was 6 hour(s), 10 minute(s), 43 second(s)
*

********************************************************************************
******************************************** Here's the hijack this report........
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:07 AM, on 7/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\ProgramData\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [zzz_ImInstaller_Magentic] C:\Users\sr20cars\AppData\Local\Temp\ImInstaller\Magentic\magentic_install[1].exe -startup -product Magentic
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 9\LaunchList.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [EPSON Stylus CX4400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE /FU "C:\Windows\TEMP\E_SE7DF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: iWin Desktop Alerts.lnk = C:\ProgramData\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - https://webvpn.usd25...ries/vpnweb.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 7096 bytes
********************************************************************************
********************************************
please help, i have no idea what's wrong or what to do next.
Thanks
Heather
  • 0

Advertisements

#2
sarahw
Posted 25 July 2008 - 07:06 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,

Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)
  • 0

#3
sarahw
Posted 25 July 2008 - 07:08 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Click HERE to download space monger, this will tell you where your free space is used. The latest Version is a 30 day trial. There are instructions on the site HERE.
If you need help with this go ahead and ask. Post a screenshot in a reply if you wish.

Can you please run Mbam again:
Uninstall your old version.
Please download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.

Edited by sarahw, 25 July 2008 - 07:14 PM.

  • 0

#4
nelsonrh
Posted 25 July 2008 - 08:25 PM

nelsonrh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
here is the latest log from the maleware scan...........
Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 6.0.6000

9:11:57 PM 7/25/2008
mbam-log-7-25-2008 (21-11-57).txt

Scan type: Quick Scan
Objects scanned: 34208
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



also attached is the results from the space monger scan

thanks
heather

Attached Thumbnails

  • spacemonger.jpg

  • 0

#5
sarahw
Posted 25 July 2008 - 10:12 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Ok, from that piture we can see where all the space is being used.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#6
nelsonrh
Posted 25 July 2008 - 11:14 PM

nelsonrh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ok heres the results from the latest scans......
combofix:
ComboFix 08-07-25.4 - sr20cars 2008-07-25 23:31:16.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.241 [GMT -5:00]
Running from: C:\Users\sr20cars\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\sr20cars\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 20:59 . 2008-07-25 20:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 20:59 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-25 20:59 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-25 20:16 . 2008-07-25 20:16 <DIR> d-------- C:\Users\sr20cars\AppData\Roaming\SpaceMonger
2008-07-25 20:16 . 2008-07-25 20:16 <DIR> d-------- C:\Program Files\SpaceMonger
2008-07-25 20:16 . 2008-07-25 20:16 4 --a------ C:\Windows\System32\wnsm2i.rdb
2008-07-25 19:28 . 2008-07-25 19:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-25 01:49 . 2005-08-25 19:18 118,784 --a------ C:\Windows\System32\MSSTDFMT.DLL
2008-07-25 00:25 . 2008-07-25 00:25 <DIR> d-------- C:\Program Files\Panda Security
2008-07-25 00:25 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys
2008-07-23 08:37 . 2008-07-23 08:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 02:26 . 2008-06-25 22:22 4,493,312 --a------ C:\Windows\System32\NlsData0416.dll
2008-07-23 02:25 . 2008-06-25 19:34 7,042,560 --a------ C:\Windows\System32\NlsLexicons081a.dll
2008-07-23 02:24 . 2008-06-25 19:33 11,722,752 --a------ C:\Windows\System32\NlsLexicons0001.dll
2008-07-21 00:12 . 2008-07-21 00:12 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-21 00:12 . 2008-05-15 18:18 50,768 --a------ C:\Windows\System32\drivers\aswMonFlt.sys
2008-07-20 21:57 . 2008-07-20 21:57 <DIR> d-------- C:\Users\sr20cars\AppData\Roaming\Malwarebytes
2008-07-20 21:56 . 2008-07-20 21:56 <DIR> d-------- C:\Users\sr20cars\AppData\Roaming\Download Manager
2008-07-20 21:56 . 2008-07-20 21:56 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-20 21:56 . 2008-07-20 21:56 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-20 21:18 . 2008-07-20 21:18 <DIR> d-------- C:\Program Files\CCleaner
2008-07-11 00:47 . 2008-07-11 00:47 <DIR> d-------- C:\Users\All Users\GlobalSCAPE
2008-07-11 00:47 . 2008-07-11 00:47 <DIR> d-------- C:\ProgramData\GlobalSCAPE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 01:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-26 00:32 --------- d-----w C:\Program Files\Java
2008-07-25 16:18 --------- d-----w C:\ProgramData\Google Updater
2008-07-25 05:39 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-25 05:38 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-23 16:50 --------- d-----w C:\Users\sr20cars\AppData\Roaming\LimeWire
2008-07-23 16:28 --------- d-----w C:\Users\sr20cars\AppData\Roaming\Apple Computer
2008-07-21 05:42 --------- d-----w C:\Program Files\MP3 Player Utilities 3.5.02
2008-07-21 02:45 --------- d-----w C:\Program Files\MSBuild
2008-07-21 02:27 --------- d-----w C:\ProgramData\iWin Games
2008-07-21 02:27 --------- d-----w C:\Program Files\iWin Games
2008-07-11 08:14 174 --sha-w C:\Program Files\desktop.ini
2008-07-10 14:15 --------- d-----w C:\ProgramData\HP
2008-07-05 18:53 --------- d-----w C:\Program Files\LimeWire
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-21 00:36 --------- d-----w C:\Program Files\iWin.com
2008-06-19 01:34 --------- d-----w C:\ProgramData\BVRP Software
2008-06-18 03:57 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-06-18 00:30 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2008-06-18 00:29 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-06-18 00:29 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-06-18 00:29 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-06-18 00:18 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-06-17 22:05 --------- d-----w C:\Program Files\WinSCP3
2008-06-16 02:16 --------- d-----w C:\Program Files\Avanquest update
2008-05-30 03:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-28 04:59 --------- d-----w C:\ProgramData\IM
2008-05-28 04:58 --------- d-----w C:\ProgramData\IncrediMail
2008-05-28 04:58 --------- d-----w C:\Program Files\IncrediMail
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-09 17:03 374 ----a-w C:\Users\sr20cars\AppData\Roaming\internaldb6334.dat
2007-12-09 16:49 18,432 ----a-w C:\Users\sr20cars\AppData\Roaming\internaldb41.dat
2007-12-09 16:48 555 ----a-w C:\Users\sr20cars\AppData\Roaming\internaldb8467.dat
2007-08-16 03:24 47,360 ----a-w C:\Users\sr20cars\AppData\Roaming\pcouffin.sys
2008-03-28 23:23 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-28 23:23 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-28 23:23 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-08-09 05:09 80 --sh--r C:\Windows\System32\0BC0942A5B.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:07 1232896]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-05-27 08:53 243072]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-08-06 11:12 1192960]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2007-08-06 11:14 1492480]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2007-08-06 11:13 375808]
"EPSON Stylus CX4400 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE" [2007-03-01 07:01 180736]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 22:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-17 23:36 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 18:19 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-09 22:53:02 124400]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{F39C8932-1C36-4B61-8034-94D7ADEE80E0}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B48E3428-CE3C-482F-8AA7-59185FD8A952}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{8393EFA2-0B37-4226-AD69-A62ADD68F67B}C:\\program files\\bearshare applications\\bearshare\\bearshare.exe"= UDP:C:\program files\bearshare applications\bearshare\bearshare.exe:BearShare
"UDP Query User{086173C2-5243-419B-A771-7832BE561C6A}C:\\program files\\bearshare applications\\bearshare\\bearshare.exe"= TCP:C:\program files\bearshare applications\bearshare\bearshare.exe:BearShare
"TCP Query User{616CEB1F-1944-4040-A5B6-CD9D65614647}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{54847EF0-2EC0-4EB3-8FFF-609335E36AC6}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{D712F36C-E953-4387-86EC-4D5C9F699B0C}"= Disabled:UDP:C:\Users\sr20cars\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\55HDGEJA\magentic_install[1].exe:IncrediMail Installer
"{FF0384A9-6F88-46B4-A6C4-03A7204E2702}"= Disabled:TCP:C:\Users\sr20cars\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\55HDGEJA\magentic_install[1].exe:IncrediMail Installer
"{87DF6FAA-DE08-4DD8-8839-420409B73995}"= Disabled:UDP:C:\Users\sr20cars\AppData\Local\Temp\ImInstaller\Magentic\magentic_install[1].exe:IncrediMail Installer
"{500F748A-B521-4376-BB75-8316CDBE8BF4}"= Disabled:TCP:C:\Users\sr20cars\AppData\Local\Temp\ImInstaller\Magentic\magentic_install[1].exe:IncrediMail Installer
"{4AFBD13B-99A4-4839-8F77-E3C26310610F}"= UDP:C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe:TiVo Beacon Service
"{93DEC20A-7EC8-4FFD-BB59-992A3A7FE9C0}"= TCP:C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe:TiVo Beacon Service
"{67355B55-4FFA-44AC-A2A0-E78C3B531331}"= UDP:C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe:TiVo Transfer Service
"{5B809B11-97D5-41D2-A8B1-D705FF4E9146}"= TCP:C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe:TiVo Transfer Service
"{1F65A557-87FB-4EC7-BD2A-7F8D71CDC2D4}"= UDP:C:\Program Files\TiVo\Desktop\TiVoServer.exe:TiVo Server Service
"{0508E9F6-0993-4276-8B02-D4F80ABF976E}"= TCP:C:\Program Files\TiVo\Desktop\TiVoServer.exe:TiVo Server Service
"{8D3984F3-E3E2-4BBD-A677-D68EF14E1C58}"= UDP:C:\Program Files\TiVo\Desktop\TiVoDesktop.exe:TiVo Desktop User Interface
"{F7A32267-C3EC-4A76-B5B7-51914FB39F83}"= TCP:C:\Program Files\TiVo\Desktop\TiVoDesktop.exe:TiVo Desktop User Interface
"{BEC7F870-11C1-4891-8C6D-0B427D6100F6}"= Disabled:TCP:5353:LocalSubnet:LocalSubnet:mDNS-SD/Bonjour
"{31F50680-F1FE-44CF-8213-D7D467254ADC}"= Disabled:UDP:7288:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7288
"{5ED5C3E4-9203-4C05-92E1-26C7644A4E38}"= Disabled:UDP:7289:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7289
"{2629DC0F-DDF0-4457-B3A2-02F996C50CA6}"= Disabled:UDP:7290:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7290
"{A72DC377-888B-4BED-97A8-5224BD9D8B78}"= Disabled:UDP:7291:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7291
"{29D59549-3E11-410E-8A10-742B1EA4118E}"= Disabled:UDP:7292:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7292
"{0F3729A0-35D2-4ACF-BBF2-27C9A1F15D37}"= Disabled:UDP:7293:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7293
"{BF315EEB-8166-4E8F-A428-17E42E778F06}"= Disabled:UDP:7294:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7294
"{1BF0C371-4A61-4AC3-8C35-C61086985AAA}"= Disabled:UDP:7295:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7295
"{6DC509BD-14B0-4E09-9B72-67D9B69D5B6F}"= Disabled:UDP:7296:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7296
"{5F0265DC-B5D9-416A-A854-A7E37E85AF09}"= Disabled:UDP:7297:LocalSubnet:LocalSubnet:TiVo HME Host: Port 7297
"{D33F4821-6FA0-4E5C-B442-9AA328ED4E2A}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{234E920A-124B-49A9-81AF-C48C0A90411E}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2C427ACC-1515-4EC2-ACF7-F5E0E10ACC5D}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F4EC9D9C-D86D-44D8-B7DD-89A82B8B5B60}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{C2A675B7-C426-48FA-9A19-622E864D30DF}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{996521D7-AFE4-4756-B6BE-57A56486E021}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"{A31D1B01-44B1-4950-92F6-713B9D355455}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander - Forged Alliance
"{4B77445B-1F4C-4356-871D-B5AFB3FF63DB}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander - Forged Alliance
"TCP Query User{0613621A-00E7-4706-A318-2E2EE0BA147C}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{5611AEA0-45A8-4F7E-9A44-B676A24F7C3A}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{E801FAFE-0C4A-439C-98CE-B6188083EDB8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{270892C4-D306-4E0F-9FA2-9C5D63E71C34}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{7713FCDC-E986-4AEA-8257-7A158DFEAE60}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{3BF9728F-C920-467B-994C-D0459070F849}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{2622F388-6B78-47D7-B9B1-E6E789435BE0}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe:IncrediMail Installer
"{67B325D0-F163-4F11-A1F3-E679DE94649D}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe:IncrediMail Installer
"{1F830D62-445F-4442-9F09-EFADD4A27D67}"= Disabled:UDP:C:\Users\sr20cars\AppData\Local\Temp\ImInstaller\IncrediMail\IncrediMail_Install.exe:IncrediMail Installer
"{2D2E738E-170A-474C-BF1D-FC7DF4B5BD87}"= Disabled:TCP:C:\Users\sr20cars\AppData\Local\Temp\ImInstaller\IncrediMail\IncrediMail_Install.exe:IncrediMail Installer
"{46903915-D7B2-4028-955A-2A94B4182C9D}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{971C0392-312F-4184-91CC-9C2B1701073B}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{6E1F29B2-9107-40D1-95B5-A55CB43D6DFC}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{EC2BFFC9-D3EA-4E58-9044-9E2D78048239}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{80B21663-0D9E-4F7E-9080-B84341365854}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{20CFBF3C-0720-4BC3-87E7-48D413379495}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-05-15 18:18]
R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2007-08-06 11:12]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 02:30]
R3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 02:41]
R3 VSTHWICH;VSTHWICH;C:\Windows\system32\DRIVERS\VSTICH3.SYS [2006-11-02 02:41]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\system32\drivers\mbamswissarmy.sys [2008-07-23 20:09]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 motport;Motorola USB Diagnostic Port;C:\Windows\system32\DRIVERS\motport.sys [2007-06-18 15:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-25 13:13:16 C:\Windows\Tasks\User_Feed_Synchronization-{F65E735A-4253-4BB9-AB4C-E3A0E94EAF52}.job"
- C:\Windows\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LaunchList - C:\Program Files\Pinnacle\Studio 9\LaunchList.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ig
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://webvpn.usd259.net/CACHE/stc/1/binaries/vpnweb.cab
C:\Windows\Downloaded Program Files\vpnweb.inf
C:\Windows\System32\vpnweb.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:35:39
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-25 23:37:24
ComboFix-quarantined-files.txt 2008-07-26 04:37:09

Pre-Run: 212,414,464 bytes free
Post-Run: 232,394,752 bytes free

204 --- E O F --- 2008-07-25 12:16:02



********************************************************************************
*************************************
hijack scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:06 AM, on 7/26/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [EPSON Stylus CX4400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE /FU "C:\Windows\TEMP\E_SE7DF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - https://webvpn.usd25...ries/vpnweb.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 6113 bytes


thanks for all your help & sorry if im being annoying. im just really lacking in patince today.
thanks,
heather
  • 0

#7
sarahw
Posted 26 July 2008 - 02:23 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Do you know what this is:
https://webvpn.usd259.net/CACHE/stc/1/binaries/vpnweb.cab
Dont go there if you dont.

1.
Click HERE to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


2.
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Users\sr20cars\AppData\Local\Im\Identities\{A6Ede6Cb-Cb0F-48Ae-Bfe2-64Eccaaa2C95}\Logs\Multiple.log

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


3.
Click HERE and run an online scan with Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information into your next post.
[/list]

Edited by sarahw, 26 July 2008 - 02:24 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP