Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ismini.exe and ishost.exe

Started by italiansass , Oct 18 2006 10:42 PM

  • Please log in to reply

#1
italiansass
Posted 18 October 2006 - 10:42 PM

italiansass

    New Member

  • Member
  • Pip
  • 7 posts
okay here it goes, two weeks ago my bro came down and decided to look up [bleep]...since then ive been having issues. serious issues, pop ups, ff running slow and redirecting. so i ran scans using spybot, adaware se, nod32, avg antispyware, reg mecanic, ccleaner, and a few others. last night i ran a scan using avg antispyware, found over 45 threats, and 200 files infected. today ran it again, found like 20 threats. removed them. but today i look in my task manager and i see ismini.exe and ishost.exe which i thought i had removed using, smitrem. apparently not. im also having problems in safe mode, i can restart in safe mode with no problems, but i don't see any icons, or start button. however i can use task manager to go to proggies. Any help would be usefull. pposted below is my hijack this log. i have also used stinger260, avastclnr for scans.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Desktop\Y!mLite2\YmLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DVDFab Platinum\DVDFabExpress.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\elaina\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.c...=...ga&.intl=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\Desktop\Y!mLite2\ymlite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{314CEF97-D3EB-470F-8EAC-FC1A213C1800}: NameServer = 208.11.162.8 208.6.37.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{314CEF97-D3EB-470F-8EAC-FC1A213C1800}: NameServer = 208.11.162.8 208.6.37.8
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
thank you
  • 0

Advertisements

#2
Wizard
Posted 19 October 2006 - 03:29 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi italiansass and Welcome to GeekstoGo!


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


After posting smitfiles.txt,Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.
  • 0

#3
italiansass
Posted 19 October 2006 - 05:37 AM

italiansass

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay I restarted in safe mode, ran smitRem, which I had already done but must of somehow got the same malware again. And I also ran combofix. Follows are the logs for both of those and hijack this again. Also I noticed while in safe mode, explorer.exe won't run. I tried to go to new task to run it and it won't run. Also noticed that every time I restart my computer my desktop settings change.


LOG FOR COMBOFIX

C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{340297BA-0958-1033-1202-030512200001}
C:\Program Files\Common Files\{D40297BA-0958-1033-1202-030512200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\nopdb.exe
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0000
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0001
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0002
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0003


((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))


2006-10-18 00:22 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-15 16:04 553,794 ---hs---- C:\WINDOWS\SYSTEM32\wvvwa.bak2
2006-10-15 02:34 168,110 --a------ C:\LSPRegBackup_15102006_023406.REG
2006-10-15 02:33 11,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pxscrmbl.sys
2006-10-14 19:27 567,940 ---hs---- C:\WINDOWS\SYSTEM32\wvvwa.ini2
2006-10-12 23:59 143,380 --a------ C:\WINDOWS\SYSTEM32\qcfbbykm.exe
2006-10-12 23:58 98,324 --a------ C:\WINDOWS\SYSTEM32\uflfbcnr.dll
2006-10-12 23:57 532,097 ---hs---- C:\WINDOWS\SYSTEM32\wvvwa.bak1
2006-10-12 22:48 684,084 ---hs---- C:\WINDOWS\SYSTEM32\awvvw.dll
2006-10-12 20:04 21,661 --a------ C:\WINDOWS\SYSTEM32\ssttq.dll
2006-10-12 19:45 627,561 --a------ C:\WINDOWS\SYSTEM32\vtsqn.dll
2006-10-12 19:39 18,432 --a------ C:\WINDOWS\SYSTEM32\wincqt32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-19 07:30 -------- d-------- C:\Program Files\Common Files
2006-10-19 07:23 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-19 00:41 -------- d-------- C:\Documents and Settings\elaina\Application Data\Vso
2006-10-19 00:26 -------- d-------- C:\Program Files\DVDFab Platinum
2006-10-19 00:23 -------- d-------- C:\Documents and Settings\elaina\Application Data\dvdcss
2006-10-18 17:48 -------- d-------- C:\Program Files\Oberon Media
2006-10-18 17:48 -------- d-------- C:\Program Files\Jasc Software Inc
2006-10-18 17:47 -------- d-------- C:\Program Files\DVD Shrink
2006-10-18 14:46 -------- d-------- C:\Documents and Settings\elaina\Application Data\Lavasoft
2006-10-18 06:20 -------- d-------- C:\Program Files\Bazooka Scanner
2006-10-18 01:10 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-18 00:22 -------- d-------- C:\Program Files\Grisoft
2006-10-17 22:23 -------- d-------- C:\Program Files\Webroot
2006-10-15 15:52 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-13 16:55 120 --a------ C:\Documents and Settings\elaina\Application Data\FixVTS.ini
2006-10-13 14:03 -------- d-------- C:\Program Files\CCleaner
2006-10-12 19:38 -------- d-------- C:\Program Files\Acala DVD Copy
2006-10-12 18:47 -------- d-------- C:\Program Files\Paltalk Messenger
2006-10-12 18:46 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-12 18:45 -------- d-------- C:\Program Files\Elaborate Bytes
2006-10-12 18:45 -------- d-------- C:\Program Files\AIM
2006-10-12 18:45 -------- d-------- C:\Documents and Settings\elaina\Application Data\Aim
2006-10-11 14:36 -------- d-------- C:\Program Files\Collectorz.com
2006-10-09 00:35 -------- d-------- C:\Program Files\PokerStars.NET
2006-10-04 22:41 -------- d-------- C:\Documents and Settings\elaina\Application Data\Wildfire
2006-09-25 16:47 -------- d-------- C:\Program Files\Lexico
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-06 15:59 69632 --a------ C:\WINDOWS\SYSTEM32\Clifford Uninstall.exe
2006-08-28 15:22 -------- d-------- C:\Program Files\PgcEdit
2006-08-28 15:20 -------- d-------- C:\Program Files\RipIt4Me
2006-08-28 15:14 -------- d-------- C:\Documents and Settings\elaina\Application Data\RipIt4Me
2006-08-25 11:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-16 07:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://image.com.com...f/1f/11050.jpg"
"SubscribedURL"="http://image.com.com...f/1f/11050.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,56,00,00,00,78,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,32,03,41,c0,b4,74,50,ab,da,03,68,de,32,03,20,6d,\
32,03,2a,e8,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"location"="Common Startup"
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MBShell.lnk]
"backup"="C:\\WINDOWS\\pss\\MBShell.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Mediabee\\src\\ui\\MBShell.exe \"C:\\Program Files\\Mediabee\\src\\ui\\initPage.html\""
"item"="MBShell"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedUpMyPC.lnk]
"backup"="C:\\WINDOWS\\pss\\SpeedUpMyPC.lnkCommon Startup"
"location"="Common Startup"
"item"="SpeedUpMyPC"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WITN 7 First Alert.lnk]
"backup"="C:\\WINDOWS\\pss\\WITN 7 First Alert.lnkCommon Startup"
"location"="Common Startup"
"item"="WITN 7 First Alert"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^elaina^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^elaina^Start Menu^Programs^Startup^OpenOffice.org 1.1.3.lnk]
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.1.3.lnkStartup"
"location"="Startup"
"item"="OpenOffice.org 1.1.3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^elaina^Start Menu^Programs^Startup^WordWeb.lnk]
"backup"="C:\\WINDOWS\\pss\\WordWeb.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\WordWeb\\wweb32.exe "
"item"="WordWeb"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAP"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mnyexpr"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monopoly3.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MONOPO~1"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PXConsole"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyHunter"
"hkey"="HKLM"
"command"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincqt32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: 06-10-19 7:31:59.93
C:\ComboFix.txt ... 06-10-19 07:31



LOG FOR SMITREM

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\WITN 7 First Alert\\TrueWeather.exe"="C:\\Program Files\\Common Files\\WITN 7 First Alert\\TrueWeather.exe:*:Enabled:TrueWeather"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger"
"C:\\Program Files\\Y!mLite\\YmLite.exe"="C:\\Program Files\\Y!mLite\\YmLite.exe:*:Enabled:YmLite"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Documents and Settings\\elaina\\Desktop\\incredimail_install.exe"="C:\\Documents and Settings\\elaina\\Desktop\\incredimail_install.exe:*:Enabled:IncrediMail Installer"
"C:\\Program Files\\YPOPs\\ypops.exe"="C:\\Program Files\\YPOPs\\ypops.exe:*:Enabled:Free POP3/SMTP access to Yahoo! Mail"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\elaina\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\elaina\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\mIRC\\mirc5.91w_autoget\\mirc32.exe"="C:\\Program Files\\mIRC\\mirc5.91w_autoget\\mirc32.exe:*:Enabled:mIRC"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ishost.exe
ismini.exe


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN! :whistling:




LOG FOR HIJACK THIS


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\elaina\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.c...=...ga&.intl=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\Desktop\Y!mLite2\ymlite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{314CEF97-D3EB-470F-8EAC-FC1A213C1800}: NameServer = 208.11.162.8 208.6.37.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{314CEF97-D3EB-470F-8EAC-FC1A213C1800}: NameServer = 208.11.162.8 208.6.37.8
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Thank You
  • 0

#4
italiansass
Posted 19 October 2006 - 11:46 AM

italiansass

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Also I decided to add my log for AVG Antispyware as well. I scanned again this morning with it and it found nothing, but just a few minutes ago I got online and it started to find malware on my computer? It suggested I ignore it? However I cleaned it and quarantined it. Thank You.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:29:26 PM 10/18/2006

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d869742a-e5d2-4624-96c7-aae26170665e} -> Adware.HQVideoCodec : Cleaned.
HKU\S-1-5-21-1811473998-1143356744-532545738-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D869742A-E5D2-4624-96C7-AAE26170665E} -> Adware.HQVideoCodec : Cleaned.
HKU\S-1-5-21-1811473998-1143356744-532545738-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\A0040716.dll -> Adware.Searchcolours : Cleaned.
C:\Program Files\Common Files\{340297BA-0958-1033-1202-030512200001}\MyToolBar.dll -> Adware.Softomate : Cleaned.
C:\Program Files\Common Files\{D40297BA-0958-1033-1202-030512200001}\Update.exe -> Adware.Softomate : Cleaned.
C:\Program Files\Common Files\{D40297BA-0958-1033-1202-030512200001}\services.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\A0040642.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\A0040646.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\A0040647.exe -> Adware.Softomate : Cleaned.
[2228] C:\Program Files\Common Files\{D40297BA-0958-1033-1202-030512200001}\Update.exe -> Adware.Softomate : Cleaned.
C:\Documents and Settings\elaina\Application Data\EasyOffice\Mail\EasyMail -> Adware.Systemdoctor : Cleaned.
C:\WINDOWS\SYSTEM32\byxuusp.dll -> Adware.Virtumonde : Cleaned.
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\A0040648.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\Documents and Settings\elaina\Desktop\Downloads\DVD TOOLS.rar/DVDREMAK. PRO.2.6.4.Cracked\DvdReMake Pro_ttdown.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\Program Files\mIRC\mirc5.91w_autoget\download\DVD TOOLS.rar/DVDREMAK. PRO.2.6.4.Cracked\DvdReMake Pro_ttdown.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP59\A0043091.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\Program Files\Peanuts\My Shared Folder\31.03.IncrediMail.Premium.v1874.zip/crack.exe -> Trojan.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP59\A0043090.exe -> Trojan.Agent.jh : Cleaned with backup (quarantined).
  • 0

#5
Wizard
Posted 19 October 2006 - 02:43 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks like we are just beginning here,Id like you to take the time and clean up all this stuff laying around from Limewire and mIrc that appears to be infected to some degree.

Basically,if you downloaded software,cracks or whatever from either of these and are presently using the apps,your going to get reinfected constantly.

The more you get infected,the more risk you take for something really nasty to happen.


C:\Documents and Settings\elaina\Desktop\Downloads\DVD TOOLS.rar/DVDREMAK. PRO.2.6.4.Cracked\DvdReMake Pro_ttdown.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).

C:\Program Files\mIRC\mirc5.91w_autoget\download\DVD TOOLS.rar/DVDREMAK. PRO.2.6.4.Cracked\DvdReMake Pro_ttdown.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).

C:\Program Files\Peanuts\My Shared Folder\31.03.IncrediMail.Premium.v1874.zip/crack.exe -> Trojan.Agent.jh : Cleaned with backup (quarantined).



The above being understood,lets move on.


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.



Restart in Safe Mode once more and Scan fresh with ComboFix.


Post back with C:\vundofix.txt--> ComboFix.txt and a fresh HijackThis log.
  • 0

#6
italiansass
Posted 19 October 2006 - 09:23 PM

italiansass

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay I did as you suggested. Also when i restarted in safe mode, my desktop was back. That surprised me. And I'm thankfull. Okay here are the logs for combo, vundo and hijack this. Also ran avg in safe mode but it was clean so there was no log for that.

COMBO LOG
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{340297BA-0958-1033-1202-030512200001}
C:\Program Files\Common Files\{D40297BA-0958-1033-1202-030512200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\nopdb.exe
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0000
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0001
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0002
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET\?icrosoft.NET\ctxad-494.0003


((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))


2006-10-19 13:40 67,604 --a------ C:\WINDOWS\SYSTEM32\degfdgen.exe
2006-10-18 00:22 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-15 02:34 168,110 --a------ C:\LSPRegBackup_15102006_023406.REG
2006-10-15 02:33 11,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pxscrmbl.sys
2006-10-12 20:04 21,661 --a------ C:\WINDOWS\SYSTEM32\ssttq.dll
2006-10-12 19:45 627,561 --a------ C:\WINDOWS\SYSTEM32\vtsqn.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-19 21:20 -------- d-------- C:\Program Files\Common Files
2006-10-19 21:16 -------- d-------- C:\Documents and Settings\elaina\Application Data\Vso
2006-10-19 20:49 -------- d-------- C:\Program Files\DVDFab Platinum
2006-10-19 20:48 -------- d-------- C:\Documents and Settings\elaina\Application Data\dvdcss
2006-10-19 20:10 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-19 19:57 -------- d-------- C:\Program Files\BitLord
2006-10-19 13:40 -------- d-------- C:\Documents and Settings\elaina\Application Data\SearchToolbarCorp
2006-10-18 17:48 -------- d-------- C:\Program Files\Oberon Media
2006-10-18 17:48 -------- d-------- C:\Program Files\Jasc Software Inc
2006-10-18 17:47 -------- d-------- C:\Program Files\DVD Shrink
2006-10-18 14:46 -------- d-------- C:\Documents and Settings\elaina\Application Data\Lavasoft
2006-10-18 06:20 -------- d-------- C:\Program Files\Bazooka Scanner
2006-10-18 01:10 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-18 00:22 -------- d-------- C:\Program Files\Grisoft
2006-10-17 22:23 -------- d-------- C:\Program Files\Webroot
2006-10-15 15:52 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-13 16:55 120 --a------ C:\Documents and Settings\elaina\Application Data\FixVTS.ini
2006-10-13 14:03 -------- d-------- C:\Program Files\CCleaner
2006-10-12 19:38 -------- d-------- C:\Program Files\Acala DVD Copy
2006-10-12 18:47 -------- d-------- C:\Program Files\Paltalk Messenger
2006-10-12 18:46 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-12 18:45 -------- d-------- C:\Program Files\Elaborate Bytes
2006-10-12 18:45 -------- d-------- C:\Program Files\AIM
2006-10-12 18:45 -------- d-------- C:\Documents and Settings\elaina\Application Data\Aim
2006-10-11 14:36 -------- d-------- C:\Program Files\Collectorz.com
2006-10-09 00:35 -------- d-------- C:\Program Files\PokerStars.NET
2006-10-04 22:41 -------- d-------- C:\Documents and Settings\elaina\Application Data\Wildfire
2006-09-25 16:47 -------- d-------- C:\Program Files\Lexico
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-06 15:59 69632 --a------ C:\WINDOWS\SYSTEM32\Clifford Uninstall.exe
2006-08-28 15:22 -------- d-------- C:\Program Files\PgcEdit
2006-08-28 15:20 -------- d-------- C:\Program Files\RipIt4Me
2006-08-28 15:14 -------- d-------- C:\Documents and Settings\elaina\Application Data\RipIt4Me
2006-08-25 11:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-16 07:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://image.com.com...f/1f/11050.jpg"
"SubscribedURL"="http://image.com.com...f/1f/11050.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,56,00,00,00,78,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,32,03,41,c0,b4,74,50,ab,da,03,68,de,32,03,20,6d,\
32,03,2a,e8,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{0E24427B-DF2A-40EB-980B-A819F5FF3DD0}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"location"="Common Startup"
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MBShell.lnk]
"backup"="C:\\WINDOWS\\pss\\MBShell.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Mediabee\\src\\ui\\MBShell.exe \"C:\\Program Files\\Mediabee\\src\\ui\\initPage.html\""
"item"="MBShell"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedUpMyPC.lnk]
"backup"="C:\\WINDOWS\\pss\\SpeedUpMyPC.lnkCommon Startup"
"location"="Common Startup"
"item"="SpeedUpMyPC"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WITN 7 First Alert.lnk]
"backup"="C:\\WINDOWS\\pss\\WITN 7 First Alert.lnkCommon Startup"
"location"="Common Startup"
"item"="WITN 7 First Alert"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^elaina^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^elaina^Start Menu^Programs^Startup^OpenOffice.org 1.1.3.lnk]
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.1.3.lnkStartup"
"location"="Startup"
"item"="OpenOffice.org 1.1.3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^elaina^Start Menu^Programs^Startup^WordWeb.lnk]
"backup"="C:\\WINDOWS\\pss\\WordWeb.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\WordWeb\\wweb32.exe "
"item"="WordWeb"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAP"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mnyexpr"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monopoly3.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MONOPO~1"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PXConsole"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyHunter"
"hkey"="HKLM"
"command"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggebxy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: 06-10-19 21:21:05.65
C:\ComboFix.txt ... 06-10-19 21:21
C:\ComboFix2.txt ... 06-10-19 07:32


HIJACK THIS LOG

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\elaina\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.c...=...ga&.intl=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\uflfbcnr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{340297BA-0958-1033-1202-030512200001}\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {E3E60325-313E-4F91-AFD9-EC8F687FE666} - C:\WINDOWS\system32\awvvw.dll (file missing)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{340297BA-0958-1033-1202-030512200001}\MyToolBar.dll (file missing)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\Desktop\Y!mLite2\ymlite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: hggebxy - hggebxy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe




VUNDO FIX LOG

VundoFix V6.2.6

Checking Java version...

Scan started at 8:18:42 PM 10/19/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\uflfbcnr.dll
C:\WINDOWS\SYSTEM32\wincqt32.dll
C:\WINDOWS\SYSTEM32\qcfbbykm.exe
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\uflfbcnr.dll
C:\WINDOWS\SYSTEM32\uflfbcnr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wincqt32.dll
C:\WINDOWS\SYSTEM32\wincqt32.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qcfbbykm.exe
C:\WINDOWS\SYSTEM32\qcfbbykm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.tmp
C:\WINDOWS\system32\wvvwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!


Okay and by you saying that apparently we are going to have a lot of work to do, is that a bad thing. Because I have been scanning with everything repeatedly here lately and its not finding nothing. But I'll do anything you suggest because I can't afford to take my computer anywhere nor can I afford to lose my computer. So thank you in advance.

Elaina
  • 0

#7
Wizard
Posted 20 October 2006 - 01:41 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
So far so good,there was just more than I was expecting.

For your own safety I suggest removing Limewire and all its associated folders from the System.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\uflfbcnr.dll (file missing)

O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{340297BA-0958-1033-1202-030512200001}\MyToolBar.dll (file missing)

O2 - BHO: (no name) - {E3E60325-313E-4F91-AFD9-EC8F687FE666} - C:\WINDOWS\system32\awvvw.dll (file missing)

O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{340297BA-0958-1033-1202-030512200001}\MyToolBar.dll (file missing)

O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab

O20 - Winlogon Notify: hggebxy - hggebxy.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

  • Double-click VundoFix.exe to run it again.
  • Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entries below into the open boxes
    • C:\WINDOWS\SYSTEM32\degfdgen.exe
    • C:\WINDOWS\SYSTEM32\ssttq.dll
    • C:\WINDOWS\SYSTEM32\vtsqn.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot,allow the computer to reboot and VundoFix to load.

Just add the very same files as before and Click Remove Vundo.


After posting those 2 logs,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

  • 0

#8
italiansass
Posted 20 October 2006 - 11:55 AM

italiansass

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay at first was having a little problem removing those files using vundo, kept saying bad file. But I got it to work...Here are the logs for it.

VUNDO LOG

Beginning removal...

Attempting to delete c:/windows/system32/degfdgen.exe
c:/windows/system32/degfdgen.exe Could not be deleted.

Attempting to delete c:/windows/system32/vtsqn.dll
c:/windows/system32/vtsqn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:/windows/system32/degfdgen.exe
c:/windows/system32/degfdgen.exe Could not be deleted.

Attempting to delete c:/windows/system32/degfdgen.exe
c:/windows/system32/degfdgen.exe Could not be deleted.

Attempting to delete c:/windows/system32/degfdgen.exe
c:/windows/system32/degfdgen.exe Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\degfdgen.exe
C:\WINDOWS\SYSTEM32\degfdgen.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\ssttq.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vtsqn.dll
C:\WINDOWS\SYSTEM32\vtsqn.dll Has been deleted!

Performing Repairs to the registry.
Done!


HIJACKTHIS LOG

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\elaina\Desktop\Downloads\HijackThis.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.c...=...ga&.intl=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\Desktop\Y!mLite2\ymlite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{314CEF97-D3EB-470F-8EAC-FC1A213C1800}: NameServer = 208.11.162.8 208.6.37.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{314CEF97-D3EB-470F-8EAC-FC1A213C1800}: NameServer = 208.11.162.8 208.6.37.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{314CEF97-D3EB-470F-8EAC-FC1A213C1800}: NameServer = 208.11.162.8 208.6.37.8
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Here are these two logs and I will post the log for fsecure scanner when it is done scanning. thank you
  • 0

#9
italiansass
Posted 20 October 2006 - 02:08 PM

italiansass

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ummm, for some reason i can't do the f secure online scanner... Says something about admin rights and IE...I don't know bc I have admin rights on this here computer.
  • 0

#10
Wizard
Posted 20 October 2006 - 02:51 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hmmm,try this one.

Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here
  • 0

#11
italiansass
Posted 21 October 2006 - 09:13 AM

italiansass

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay Bit defender had a problem with the uploading the virus definitions so I'm going to try Trend Micro would that be okay. Or panda...
  • 0

#12
Wizard
Posted 22 October 2006 - 05:25 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
What version of XP is this,Home or Pro?

Download this little tool
http://www.downloads...g/VX2Finder.exe

Run the tool and Click on "Restore Policy" and Restart the Machine.

Try the F-Secure scan once more and tell me if you get the same message as before.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP