Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Mbam/Spyware Guard 2008/Backdoor.tidservlinf

Started by Chiña610 , Dec 30 2008 02:06 AM

Please log in to reply

#1
Chiña610

Posted 30 December 2008 - 02:06 AM

Member

Member
11 posts

I hope that I am once again posting in the correct forum. I am new to this and have never been a member in a forum such as this. I am very flustered and very aggravated and VERY close to throwing my desktop out the window!! I have my laptop next to my desktop going back and forth since I can only log onto my home page but cant see certain websites such as this one. So everything I download to my desktop I have to save to my sandisk then put it on my desktop! There are certain pages I can log on too but not this one and certain others.

I have done a Spybot-Search & Destroy scan (caught nothing major), a Ad-Aware SE Professional scan (caught nothing major, just a few things that said poses no threat), ), Norton 360 scan (clean)! Here's the thing last night my Norton indicated (picked up) this backdoor.tidservlinf virus, but today it doesnt indicate that. When it did last night it said Norton couldnt remove it that it had to be done manually. AND since yesterday I have been getting pop ups like crazy and this annoying Spyware Guard 2008 every second installing itself and running. My computer is severely slow and it freezes when turning on or off at times or it just takes forever to shut off or on.

I have followed as per your tut on the forum on the step by step but got stuck with this MBAM not wanting to start.

I have done everything from the start until where it says to install and double click on the mbam.exe. It stated that if it didnt start to rename it with a random name and I tried that a ton of times but still couldnt get it to open so I can install it. I then when online and searched for it downloaded it from download.com and it was able to start. I install but it would freeze before it said finished. BUT I did notice there was a desktop icon as though it had finished installing so I tried clicking it and it wont open! What Im I doing wrong??

Thank you all for your t ime and help!!

Hugs
China

Edited by Chiña610, 30 December 2008 - 02:18 AM.

#2
kahdah

Posted 01 January 2009 - 06:09 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello Chiña610

Welcome to G2Go.

=====================
Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
============
Download GMER from Here :
Unzip it to the desktop.
Open the folder but before you run it name it to Kahdah before trying to run it.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

#3
Chiña610

Posted 01 January 2009 - 10:05 PM

Member

Topic Starter
Member
11 posts

Hello ... Thank you so much 4 ur help & attention with this matter.

I have done as u said ... but first let me add that I also noticed that I am also getting pop ups of the Antivirus 2009 stating that i have over 200 infections and I see from the forum that this is also a fake anitvirus. One more thing .... once i clicked on the GMER it started automatically then 5 seconds after starting it stopped and a pop up said "warning!!! GMER has found system modifications, which may have been caused by ROOTKIT activity. Do you want to fully scan your system? I clicked on yes .... hope that was ok. Then after it was done it said "Warning!!! GMER has found system modification caused by ROOTKIT activity. i clicked ok because that was the only other thing i could do then i got the txt file.

ok here is what u requested ....

the DDS.txt Below
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DDS (Version 1.1.0) - NTFSx86
Run by User at 19:28:59.78 on Thu 01/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1271 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
Svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
Svchost.exe
Svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\PSIService.exe
Svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\User\Application Data\U3\00001623B2702B00\LaunchPad.exe
C:\Documents and Settings\User\Desktop\DDS.scr

============== Pseudo HJT Report ===============

UStart Page = hxxp://www.optimum.net/optonline
USearch Page = hxxp://internetsearchservice.com
USearch Bar = hxxp://internetsearchservice.com/ie6.HTML
USearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
UDefault_Search_URL = hxxp://internetsearchservice.com
MDefault_Search_URL = hxxp://internetsearchservice.com
MSearch Page = hxxp://internetsearchservice.com
MSearch Bar = hxxp://internetsearchservice.com/ie6.HTML
MSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
UInternet Settings,ProxyOverride = *.local
USearchAssistant = hxxp://internetsearchservice.com
MSearchURL = hxxp://internetsearchservice.com
MSearchAssistant = hxxp://internetsearchservice.com
UURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\AOL\aim toolbar 5.0\aoltb.DLL
UURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.DLL
MURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\AOL\aim toolbar 5.0\aoltb.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.DLL
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.DLL
BHO: {2F626BA5-2448-4B33-A62B-84DC7F855446} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.DLL
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.DLL
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.DLL
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {2be85966-6d93-9edb-e914-93b918a78517}: {71587a81-9b39-419e-bde9-39d666958eb2} - c:\windows\system32\zxjmah.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {cc33623f-dbeb-4693-b97d-71f4cae98f7e} - c:\windows\system32\rqRiJyww.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {3BEBF2FE-7248-40E2-9752-8163EB6C4038} - No File
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [spywareguard] c:\program files\spyware guard 2008\spywareguard.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: PRISMAPI.DLL - PRISMAPI.DLL
AppInit_DLLs: zxjmah.dll
SSODL: ieModule - {44E0B9F6-F909-4730-A76D-58FCCE4745EE} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {FDF713DD-7B5D-449E-938C-72FD50E39A52} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\jnmlfqycrj.dll
STS: {8dc71747-ace0-40c1-8947-54f107d0639b} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRiJyww

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 ccProxy;Symantec Network Proxy;"c:\program files\common files\symantec shared\ccProxy.exe" [2008-2-18 214888]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2007-12-20 61529]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-16 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.020\NAVENG.SYS [2008-12-28 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.020\NAVEX15.SYS [2008-12-28 876112]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-12-23 24652]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-22 1245064]

=============== Created Last 30 ================

2009-01-01 15:39 1,307,356 ---sh--- c:\windows\system32\jundlunx.ini
2009-01-01 15:33 133,120 a------- c:\windows\system32\zxjmah.dll
2009-01-01 15:33 133,120 a------- c:\windows\system32\okotsymm.dll
2008-12-31 19:32 1,003,957 a------- c:\windows\sysexplorer.exe
2008-12-31 19:32 134,149 a------- c:\windows\reged.exe
2008-12-31 19:32 51,197 a------- c:\windows\spoolsystem.exe
2008-12-31 19:32 50,620 a------- c:\windows\sys.com
2008-12-31 19:32 47,872 a------- c:\windows\syscert.exe
2008-12-31 19:32 18,941 a------- c:\windows\vmreg.dll
2008-12-31 19:32 384,000 a------- c:\windows\system32\winscenter.exe
2008-12-31 01:16 <DIR> --d----- c:\program files\Spyware Guard 2008
2008-12-30 02:14 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2008-12-30 02:14 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2008-12-30 02:14 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2008-12-30 02:14 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2008-12-30 02:14 8,704 a------- c:\windows\system32\kbdjpn.dll
2008-12-30 02:14 8,192 a------- c:\windows\system32\kbdkor.dll
2008-12-30 02:14 6,144 a------- c:\windows\system32\kbd101c.dll
2008-12-30 02:14 5,632 a------- c:\windows\system32\kbd103.dll
2008-12-30 02:14 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2008-12-30 02:14 6,144 a------- c:\windows\system32\kbd101b.dll
2008-12-30 02:14 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2008-12-30 02:14 6,144 a------- c:\windows\system32\kbd106.dll
2008-12-30 02:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 02:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 02:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 02:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-30 01:44 1,307,934 ---sh--- c:\windows\system32\gqhdgrya.ini
2008-12-30 01:42 133,120 a------- c:\windows\system32\vaovtj.dll
2008-12-30 01:42 133,120 a------- c:\windows\system32\wjjfnwvi.dll
2008-12-30 01:29 1,307,934 ---sh--- c:\windows\system32\tmdmgkje.ini
2008-12-30 01:29 89,088 a------- c:\windows\system32\ejkgmdmt.dll
2008-12-30 01:26 133,120 a------- c:\windows\system32\qgdtuo.dll
2008-12-30 01:26 133,120 a------- c:\windows\system32\uwkhkqhd.dll
2008-12-29 18:14 <DIR> --d----- c:\program files\trend micro
2008-12-29 02:12 <DIR> --d----- c:\program files\Panda Security
2008-12-29 01:27 1,306,974 ---sh--- c:\windows\system32\wmwpuwks.ini
2008-12-29 01:24 29,189 a------- c:\docume~1\alluse~1\applic~1\svhost.exe
2008-12-29 01:21 133,120 a------- c:\windows\system32\wxfyan.dll
2008-12-29 01:21 133,120 a------- c:\windows\system32\lghvpmlo.dll
2008-12-29 01:12 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-12-28 18:16 <DIR> --d----- C:\VundoFix Backups
2008-12-27 22:30 133,120 a------- c:\windows\system32\osugxu.dll
2008-12-27 22:30 133,120 a------- c:\windows\system32\wfpsujhy.dll
2008-12-27 22:27 1,306,974 ---sh--- c:\windows\system32\sslyivxh.ini
2008-12-27 19:27 0 a------- c:\windows\system32\mcrh.tmp
2008-12-27 06:11 <DIR> --d----- c:\program files\Enigma Software Group
2008-12-27 02:50 672,980 a--sh--- c:\windows\system32\wwyJiRqr.ini2
2008-12-27 02:50 0 a--sh--- c:\windows\system32\wwyJiRqr.ini
2008-12-27 02:50 285,696 a------- c:\windows\system32\rqRiJyww.dll
2008-12-27 02:45 52,224 a------- c:\windows\system32\mLEvVNEX.dll.vir
2008-12-25 08:42 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2008-12-25 08:42 5,504 a------- c:\windows\system32\drivers\MSTEE.sys
2008-12-25 08:40 37,760 a------- c:\windows\system32\drivers\Capt905c.sys
2008-12-25 08:40 25,216 a------- c:\windows\system32\drivers\Camd905c.sys
2008-12-25 08:40 <DIR> --d----- c:\program files\DB CIF Cam
2008-12-19 07:58 268,648 a------- c:\windows\system32\mucltui.dll
2008-12-19 07:58 27,496 a------- c:\windows\system32\mucltui.dll.mui
2008-12-15 12:42 <DIR> --d----- c:\docume~1\user\applic~1\WinWay
2008-12-15 12:40 <DIR> --d----- c:\program files\WinWay Resume

==================== Find3M ====================

2008-12-25 19:18 8,086 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-08-26 22:26 0 ac------ c:\program files\temp01
2008-01-01 19:14 168 ---shr-- c:\windows\system32\99D38AC8B7.sys
2008-08-28 18:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 19:30:49.54 ===============

GMER.txt Below

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-01 22:59:39
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT 89834710 ZwConnectPort

Code E1BE6FA8 ZwEnumerateKey
Code E1C97048 ZwFlushInstructionCache
Code B219EEAB pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP E1C9704C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 5 Bytes JMP E1BE6FAC

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] kernel32.dll!VirtualProtect + 1C 7C801AF0 7 Bytes JMP 04960034
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 049600B8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 0496013F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DA000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D9000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DB000A
.text C:\WINDOWS\explorer.exe[1736] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CD000A
.text C:\WINDOWS\explorer.exe[1736] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00CC000A
.text C:\WINDOWS\explorer.exe[1736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CE000A
.text C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe[2616] psapi.dll!EnumProcessModules 76BF1EF4 5 Bytes JMP 0114CE00 C:\WINDOWS\system32\rqRiJyww.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSmhxt.sys (*** hidden *** ) B219D000-B21AF000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:580 B219FD66

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSmhxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStkdv.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 82
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] v300
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 1

---- EOF - GMER 1.0.14 ----

Attached Files

Attach.txt 13.65KB 464 downloads

#4
kahdah

Posted 02 January 2009 - 07:09 AM

GeekU Teacher

Retired Staff
15,822 posts

Hi all of that was fine you do have a rootkit present on your system.

Note please let your computer reboot if it needs to multiple times to remove the rootkit.
==================
1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
TDSSserv.sys 

Files to delete:
C:\WINDOWS\system32\drivers\TDSSmhxt.sys 
C:\WINDOWS\system32\TDSSofxh.dll
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSsihc.dll
C:\WINDOWS\system32\TDSSrhym.log
C:\WINDOWS\system32\TDSStkdv.log
c:\program files\temp01
c:\windows\system32\wwyJiRqr.ini2
c:\windows\system32\wwyJiRqr.ini
c:\windows\system32\rqRiJyww.dll
c:\windows\system32\mLEvVNEX.dll.vir
c:\windows\system32\osugxu.dll
c:\windows\system32\wfpsujhy.dll
c:\windows\system32\sslyivxh.ini
c:\windows\system32\wmwpuwks.ini
c:\docume~1\alluse~1\applic~1\svhost.exe
c:\windows\system32\lghvpmlo.dll
c:\windows\system32\gqhdgrya.ini
c:\windows\system32\vaovtj.dll
c:\windows\system32\wjjfnwvi.dll
c:\windows\system32\tmdmgkje.ini
c:\windows\system32\ejkgmdmt.dll
c:\windows\system32\qgdtuo.dll
c:\windows\system32\uwkhkqhd.dll
c:\windows\system32\jundlunx.ini
c:\windows\system32\zxjmah.dll
c:\windows\system32\okotsymm.dll
c:\windows\sysexplorer.exe
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\vmreg.dll
c:\windows\system32\winscenter.exe
c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\jnmlfqycrj.dll

FOlders to delete:
c:\program files\temp01
c:\program files\Spyware Guard 2008


Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh dds log and a new Gmer log.

#5
Chiña610

Posted 03 January 2009 - 01:05 AM

Member

Topic Starter
Member
11 posts

Thanks again,

Here are the items u requested.

avenger.txt below
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.sys" not found!
Deletion of driver "TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmhxt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmhxt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSofxh.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSofxh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\TDSSosvd.dat" deleted successfully.

Error: file "C:\WINDOWS\system32\TDSSnrsr.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSnrsr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSriqp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSriqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScfum.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\TDSSlxwp.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\TDSSnmxh.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSsihc.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSsihc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSrhym.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSSrhym.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\TDSStkdv.log" deleted successfully.
File "c:\program files\temp01" deleted successfully.
File "c:\windows\system32\wwyJiRqr.ini2" deleted successfully.
File "c:\windows\system32\wwyJiRqr.ini" deleted successfully.
File "c:\windows\system32\rqRiJyww.dll" deleted successfully.

Error: file "c:\windows\system32\mLEvVNEX.dll.vir" not found!
Deletion of file "c:\windows\system32\mLEvVNEX.dll.vir" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\osugxu.dll" not found!
Deletion of file "c:\windows\system32\osugxu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\wfpsujhy.dll" not found!
Deletion of file "c:\windows\system32\wfpsujhy.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\sslyivxh.ini" deleted successfully.
File "c:\windows\system32\wmwpuwks.ini" deleted successfully.

Error: file "c:\docume~1\alluse~1\applic~1\svhost.exe" not found!
Deletion of file "c:\docume~1\alluse~1\applic~1\svhost.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\lghvpmlo.dll" not found!
Deletion of file "c:\windows\system32\lghvpmlo.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\gqhdgrya.ini" deleted successfully.

Error: file "c:\windows\system32\vaovtj.dll" not found!
Deletion of file "c:\windows\system32\vaovtj.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\wjjfnwvi.dll" not found!
Deletion of file "c:\windows\system32\wjjfnwvi.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\tmdmgkje.ini" deleted successfully.

Error: file "c:\windows\system32\ejkgmdmt.dll" not found!
Deletion of file "c:\windows\system32\ejkgmdmt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\qgdtuo.dll" not found!
Deletion of file "c:\windows\system32\qgdtuo.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\uwkhkqhd.dll" not found!
Deletion of file "c:\windows\system32\uwkhkqhd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\jundlunx.ini" deleted successfully.

Error: file "c:\windows\system32\zxjmah.dll" not found!
Deletion of file "c:\windows\system32\zxjmah.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\okotsymm.dll" not found!
Deletion of file "c:\windows\system32\okotsymm.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\sysexplorer.exe" deleted successfully.
File "c:\windows\reged.exe" deleted successfully.
File "c:\windows\spoolsystem.exe" deleted successfully.
File "c:\windows\sys.com" deleted successfully.
File "c:\windows\syscert.exe" deleted successfully.
File "c:\windows\vmreg.dll" deleted successfully.

Error: file "c:\windows\system32\winscenter.exe" not found!
Deletion of file "c:\windows\system32\winscenter.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\jnmlfqycrj.dll" deleted successfully.

Error: folder "c:\program files\temp01" not found!
Deletion of folder "c:\program files\temp01" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\program files\Spyware Guard 2008" deleted successfully.

Error: registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

dds.txt below
~~~~~~~~~~~~~~~~~~~~~
DDS (Version 1.1.0) - NTFSx86
Run by User at 1:39:19.08 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1403 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Documents and Settings\User\Desktop\DDS\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.optimum.net/optonline
uSearch Page = hxxp://internetsearchservice.com
uSearch Bar = hxxp://internetsearchservice.com/ie6.html
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://internetsearchservice.com
mDefault_Search_URL = hxxp://internetsearchservice.com
mSearch Page = hxxp://internetsearchservice.com
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://internetsearchservice.com
mSearchURL = hxxp://internetsearchservice.com
mSearchAssistant = hxxp://internetsearchservice.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e6446ee-6477-41b7-a458-fd4e929b20ff} - c:\windows\system32\rqRiJyww.dll
BHO: {2F626BA5-2448-4B33-A62B-84DC7F855446} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {3BEBF2FE-7248-40E2-9752-8163EB6C4038} - No File
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: PRISMAPI.DLL - PRISMAPI.DLL
SSODL: ieModule - {44E0B9F6-F909-4730-A76D-58FCCE4745EE} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {FDF713DD-7B5D-449E-938C-72FD50E39A52} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\jnmlfqycrj.dll
STS: {8dc71747-ace0-40c1-8947-54f107d0639b} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRiJyww

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-2 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-2 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-2 81288]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 ccProxy;Symantec Network Proxy;"c:\program files\common files\symantec shared\ccProxy.exe" [2008-2-18 214888]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2007-12-20 61529]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-2 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-2 1079176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-12-23 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-16 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20090102.025\NAVENG.SYS [2009-1-2 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20090102.025\NAVEX15.SYS [2009-1-2 876112]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-22 1245064]

=============== Created Last 30 ================

2009-01-02 20:11 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-02 20:11 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-02 20:11 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-02 20:11 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-02 20:10 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-02 02:55 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2008-12-30 02:14 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2008-12-30 02:14 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2008-12-30 02:14 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2008-12-30 02:14 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2008-12-30 02:14 8,704 a------- c:\windows\system32\kbdjpn.dll
2008-12-30 02:14 8,192 a------- c:\windows\system32\kbdkor.dll
2008-12-30 02:14 6,144 a------- c:\windows\system32\kbd101c.dll
2008-12-30 02:14 5,632 a------- c:\windows\system32\kbd103.dll
2008-12-30 02:14 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2008-12-30 02:14 6,144 a------- c:\windows\system32\kbd101b.dll
2008-12-30 02:14 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2008-12-30 02:14 6,144 a------- c:\windows\system32\kbd106.dll
2008-12-30 02:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 18:14 <DIR> --d----- c:\program files\trend micro
2008-12-29 02:12 <DIR> --d----- c:\program files\Panda Security
2008-12-29 01:12 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-12-28 18:16 <DIR> --d----- C:\VundoFix Backups
2008-12-27 19:27 0 a------- c:\windows\system32\mcrh.tmp
2008-12-27 06:11 <DIR> --d----- c:\program files\Enigma Software Group
2008-12-25 08:42 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2008-12-25 08:42 5,504 a------- c:\windows\system32\drivers\MSTEE.sys
2008-12-25 08:40 37,760 a------- c:\windows\system32\drivers\Capt905c.sys
2008-12-25 08:40 25,216 a------- c:\windows\system32\drivers\Camd905c.sys
2008-12-25 08:40 <DIR> --d----- c:\program files\DB CIF Cam
2008-12-19 07:58 268,648 a------- c:\windows\system32\mucltui.dll
2008-12-19 07:58 27,496 a------- c:\windows\system32\mucltui.dll.mui
2008-12-15 12:42 <DIR> --d----- c:\docume~1\user\applic~1\WinWay
2008-12-15 12:40 <DIR> --d----- c:\program files\WinWay Resume

==================== Find3M ====================

2008-12-25 19:18 8,086 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-01-01 19:14 168 ---shr-- c:\windows\system32\99D38AC8B7.sys
2008-08-28 18:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 1:40:10.57 ===============

GMER.txt below
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-03 02:00:47
Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

Attached Files

Attach.txt 13.78KB 338 downloads

#6
kahdah

Posted 03 January 2009 - 07:34 AM

GeekU Teacher

Retired Staff
15,822 posts

Looks better Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

#7
Chiña610

Posted 04 January 2009 - 02:39 AM

Member

Topic Starter
Member
11 posts

Hello Kahdah,

Thank u .... here is the info u requested!

MBAM.txt below
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware 1.31
Database version: 1609
Windows 5.1.2600 Service Pack 3

1/4/2009 3:27:07 AM
mbam-log-2009-01-04 (03-27-07).txt

Scan type: Quick Scan
Objects scanned: 63286
Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 20
Registry Data Items Infected: 14
Folders Infected: 8
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0bd44ab1-76a7-4e05-92f4-4b065fe72bd6} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3bebf2fe-7248-40e2-9752-8163eb6c4038} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\UAV (Rogue.UltimateAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{3bebf2fe-7248-40e2-9752-8163eb6c4038} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{3bebf2fe-7248-40e2-9752-8163eb6c4038} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{8dc71747-ace0-40c1-8947-54f107d0639b} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\InternetConnection (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ieModule (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearc...com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearc...com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearc...ce.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearc...q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearc...ce.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearc...q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\377186 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080822000841328.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080822000959250.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080822001155390.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080822143151421.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080822161201921.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080822165029703.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080822221849578.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

#8
kahdah

Posted 04 January 2009 - 07:19 AM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

=============
Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

#9
Chiña610

Posted 05 January 2009 - 01:01 AM

Member

Topic Starter
Member
11 posts

Ok .. Hi Kahdah

I started this scan at 3:40 pm Sunday afternoon and it just ended at 1:57 am! LOL WOW!
It did detect 2 trojans ...

Here is what u requested.

Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.WMA.GetCodec.r File: C:\Documents and Settings\User\My Documents\boriqua anthem robi robs.mp3
deleted: Trojan program Trojan-Downloader.WMA.GetCodec.r File: C:\Documents and Settings\User\My Documents\movie soundtrack august rush.mp3

Thank you Kahdah for your time and help, my PC seems to be running smoothly, however I cant do an update once I reinstalled my Spy Doctor. It wont run unless it updates.

Edited by Chiña610, 05 January 2009 - 01:03 AM.

#10
kahdah

Posted 05 January 2009 - 07:05 AM

GeekU Teacher

Retired Staff
15,822 posts

DO you have a paid subscription for SPyware Doctor if not then don't use that program.
MalwareBytes does a much better job at removing infections and detecting them than SPyware Doctor plus SPyware Doctor runs heavy on the system's resources.
It also may be an issue with their server trying to connect to your computer.

Let's see a new Hijackthis log and let me know of any remaining issues.

#11
Chiña610

Posted 05 January 2009 - 10:56 AM

Member

Topic Starter
Member
11 posts

Hi Kahdah ...

No I do not have a paid subscription. I have been using the free version.
I will no longer use it then, I had no idea that it took a toll on my PC.

Can I ask u ... how bad is it to go on to MySpace from ur PC? I ask because my oldest son and some of his friends use the PC to go onto MySpace, and I have heard that MySpace can cause trouble's. I do not know how true this is but was wondering. I had to uninstall LimeWare a while back when he first installed it. I heard that too was bad for my PC.

How often should I run MalwareBytes? Can u advise as to what kind of weekly or monthly maintenance I should do to my PC?

Thank you for all of your time and help Kahdah!! I appreciate all that you and all the helpers do to help people like me with major/minor PC problems.

I also have a friend that has a HP laptop that has some kind of trouble. She said it is only 6 months old and she is having trouble with it. She might bring it to me so that I can have a look at it, and I am sure I will be on here again asking questions, lol. If that is ok.

Anyhoot here is what u requested ....

HiJack This txt below
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:56 AM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/optonline
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E6446EE-6477-41B7-A458-FD4E929B20FF} - C:\WINDOWS\system32\rqRiJyww.dll (file missing)
O2 - BHO: (no name) - {2F626BA5-2448-4B33-A62B-84DC7F855446} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://www.worldwinn...mines/mines.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecu...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198171268663
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1229566731421
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v57/wof/wof.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinn...h/dinerdash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinn.../familyfeud.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10518 bytes

#12
kahdah

Posted 05 January 2009 - 07:24 PM

GeekU Teacher

Retired Staff
15,822 posts

Can I ask u ... how bad is it to go on to MySpace from ur PC? I ask because my oldest son and some of his friends use the PC to go onto MySpace, and I have heard that MySpace can cause trouble's. I do not know how true this is but was wondering. I had to uninstall LimeWare a while back when he first installed it. I heard that too was bad for my PC.

Myspace can be bad at times but no generally speaking it is a legitimate site.
Limewire on the other hand is no good for anyone it has nothing but viruses and spyware as people attach infected files and hence they infect your computer as well so anyone sharing songs using that program will get infected.

How often should I run MalwareBytes? Can u advise as to what kind of weekly or monthly maintenance I should do to my PC?

I recommend at least a weekly full scan with your Antivirus and Malwarebytes make sure to update it before running each.

Thank you for all of your time and help Kahdah!! I appreciate all that you and all the helpers do to help people like me with major/minor PC problems.

I also have a friend that has a HP laptop that has some kind of trouble. She said it is only 6 months old and she is having trouble with it. She might bring it to me so that I can have a look at it, and I am sure I will be on here again asking questions, lol. If that is ok.

You are welcome and sure that is fine we are here to help

=============
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {1E6446EE-6477-41B7-A458-FD4E929B20FF} - C:\WINDOWS\system32\rqRiJyww.dll (file missing)
O2 - BHO: (no name) - {2F626BA5-2448-4B33-A62B-84DC7F855446} - (no file)

Now click on Fix Checked and then close Hijackthis.
=================
AFter that please go to Start then Control Panel.
Then remove Viewpoint
Then exit the Control Panel.

Reboot and delete this Folder.
C:\Program Files\Viewpoint.
=============================
Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

======================
Delete\uninstall anything else that we have used.

Including this folder C:\Rsit

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingc...143.html#manual
=====================================
After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

#13
Chiña610

Posted 06 January 2009 - 10:49 PM

Member

Topic Starter
Member
11 posts

Hi Kahdah ...

Thank you so much for your help and time, and for answering my question's.

Ok I have done as instructed.
However my IE kept freezing and had to keep closing.

I also got a pop up window title ::

"Microsoft Visual C++ Runtime Library"

Program:c/program files/internet explorer/emplore.exe
R6025
-pure virtual function call

I have no idea what that meant.

My son went onto Facebook and it happened on there a few times.
Don't know if that had anything to do with it, but since I am not
familiar with MySpace & or FaceBook I keep thinking it is him and these
web sites, lol. Poor kid I keep blaming him and his web sites. BUT he
knows I keep freaking out out my computer since I do use it mostly
to work Ican not afford anything to happen to it where it will no longer work.

I will download Spybot again since I am familiar with it. Will it hurt to have
them all or should I just have one. Which do you recommend and what would you
use?

Thanks again.

Edited by Chiña610, 06 January 2009 - 11:01 PM.

#14
Chiña610

Posted 07 January 2009 - 12:22 AM

Member

Topic Starter
Member
11 posts

BTW I just downloaded SpyBot Search & Destroy and it detected a few things which surprised me because I thought I was completely clean!

Here is what it found:::

DoubleClick
FastClick
Fraud.Antivirus2008
MediaPlex
Right Media
WebTrends Live
Zedo

I clicked to fix selected.
I ran it again and got the "DoubleClick" again.
I clicked to fix it.

I also ran ad-aware se and it picked up 15 negligible items.
Looked like all cookies.

#15
kahdah

Posted 07 January 2009 - 07:33 AM

GeekU Teacher

Retired Staff
15,822 posts

That is fine all those are just cookies and left over registry entries.
Noi active threats are left.

That is an error within Internet Explorer.

Please post a topic here > http://www.geekstogo...-Email-f26.html they will be better able to fix that issue.

After that you are good to go.