• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Aquarock

Wareout Infection/Web Search Redirection Assistance

10 posts in this topic

I have run all the programs listed on the "Hijacked Users-Start here, Seriously-READ THIS POST FIRST" post for Coolwebsearch, shredder, Spybot, and Trend Micro but I am still being redirected to numerous websites after clicking on the links provided through a Google, Yahoo, or MSN type search. I'm running WinXP, and IE7.

 

One of the IPs I am being bounced off of is 67.29.139.220....so I also read the post for fixing this done by Mr.NiceGuy on Nov. 18th, 2006 (sinec he listed that same IP) as it seems I am having the same redirection issue, but the fixes mentioned are not working for me.

 

Here is my HijackThis! log....can anyone help me figure this out as it would be greatly appreciated.

 

_____________________________________________________________________________________

 

Logfile of HijackThis v1.99.1

Scan saved at 10:25:07 AM, on 4/22/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

C:\WINDOWS\system32\ctfmon.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Program Files\SimpleCenter\SimpleCenter.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\SiteAdvisor\6066\SAService.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Doug\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [{D65E53CB-26AA-4776-A0F7-1AF89B1EAF02}] D:\FpcSetup.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: SimpleCenter.lnk = C:\Program Files\SimpleCenter\SimpleCenter.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.com/activex/HMAtchmt.ocx

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi -

 

Thank you for your patience.

 

However, your HijackThis log was posted on April 22nd, so please post a new HijackThis log.

Share this post


Link to post
Share on other sites

Hi Aquarock,

 

Welcome to SpywareInfo! :wave:

 

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

 

OK, here’s what we do first.

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O4 - HKLM\..\Run: [{D65E53CB-26AA-4776-A0F7-1AF89B1EAF02}] D:\FpcSetup.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini
    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp
     
     
  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:
     
    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
     
    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

NEXT:

 

Please download and save F-Secure BlackLight to your desktop.

  • Click the I Accept button at the bottom of the page.
  • Download the Blacklight Beta graphical user interface version.
  • Double-click the fsbl.exe program that you downloaded to run BlackLight.
  • Click Scan -> Next.
  • After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose to rename any items yet! I need to see the log first, because legitimate items can also be present there...
  • A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
  • Please post the contents of the log in your next reply.

 

NEXT:

 

Please download CCleaner (freeware) and save it to your desktop:

  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.

[*]Then, click the Applications tab:

  • UNCHECK everything there.

[*]Next, click the Options button, then click the Advanced button:

  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".

[*]Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

 

 

NEXT:

 

Please download ComboFix by sUBs:

 

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

 

NEXT:

 

Please do an online scan with Kaspersky Online Scanner:

  1. Click on Kaspersky Online Scanner.
  2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on Next.
  5. Now click on Scan Settings.
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases

[*]Click OK.

[*]Now under select a target to scan:

  • Select My Computer.

[*]This program will start and scan your system.

[*]The scan will take a while so be patient and let it run.

[*]Once the scan is complete it will display if your system has been infected.

  • Now click on the Save Report As button.
  • In the File name: field, type kavscan.
  • In the Save as type: field, select Text file (*.txt).

[*]Save the file to your desktop.

[*]Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from OTMoveIt.
  2. The log from the BlackLight scan.
  3. The log from the ComboFix scan.
  4. The log from the Kaspersky scan.
  5. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Share this post


Link to post
Share on other sites

Hi Aquarock,

 

Welcome to SpywareInfo! :wave:

 

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

 

OK, here’s what we do first.

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O4 - HKLM\..\Run: [{D65E53CB-26AA-4776-A0F7-1AF89B1EAF02}] D:\FpcSetup.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

Thanks Sempurna! While it took a very long time to run everything...no problems occured with your directions. Here are all my log files as you requested:

 

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini
    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp
     
     
  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:
     
    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
     
    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

NEXT:

 

Please download and save F-Secure BlackLight to your desktop.

  • Click the I Accept button at the bottom of the page.
  • Download the Blacklight Beta graphical user interface version.
  • Double-click the fsbl.exe program that you downloaded to run BlackLight.
  • Click Scan -> Next.
  • After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose to rename any items yet! I need to see the log first, because legitimate items can also be present there...
  • A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
  • Please post the contents of the log in your next reply.

NEXT:

 

Please download CCleaner (freeware) and save it to your desktop:

  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.

[*]Then, click the Applications tab:

  • UNCHECK everything there.

[*]Next, click the Options button, then click the Advanced button:

  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".

[*]Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

 

 

NEXT:

 

Please download ComboFix by sUBs:

 

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

 

NEXT:

 

Please do an online scan with Kaspersky Online Scanner:

  1. Click on Kaspersky Online Scanner.
  2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on Next.
  5. Now click on Scan Settings.
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases

[*]Click OK.

[*]Now under select a target to scan:

  • Select My Computer.

[*]This program will start and scan your system.

[*]The scan will take a while so be patient and let it run.

[*]Once the scan is complete it will display if your system has been infected.

  • Now click on the Save Report As button.
  • In the File name: field, type kavscan.
  • In the Save as type: field, select Text file (*.txt).

[*]Save the file to your desktop.

[*]Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from OTMoveIt.
  2. The log from the BlackLight scan.
  3. The log from the ComboFix scan.
  4. The log from the Kaspersky scan.
  5. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

 

Thanks Sempurna! Here are my log files as you requested. Took awhile, but no problems occured while running everything.

 

OTMoveIT Results:

 

File/Folder C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini not found.

File/Folder C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp not found.

 

Created on 05/08/2007 08:35:13

 

F-Secure Blacklight Results:

 

05/08/07 08:38:00 [info]: BlackLight Engine 1.0.61 initialized

05/08/07 08:38:00 [info]: OS: 5.1 build 2600 (Service Pack 2)

05/08/07 08:38:01 [Note]: 7019 4

05/08/07 08:38:01 [Note]: 7005 0

05/08/07 08:38:04 [Note]: 7006 0

05/08/07 08:38:05 [Note]: 7011 3904

05/08/07 08:38:05 [Note]: 7026 0

05/08/07 08:38:05 [Note]: 7026 0

05/08/07 08:38:24 [Note]: FSRAW library version 1.7.1021

05/08/07 08:46:47 [info]: Hidden file: c:\WINDOWS\system32\kdwbc.exe

05/08/07 08:46:47 [Note]: 7002 32

05/08/07 08:46:47 [Note]: 7003 1

05/08/07 08:46:47 [Note]: 10002 1

05/08/07 08:49:44 [Note]: 7007 0

 

Combo Fix Results:

 

"Doug" - 2007-05-08 8:57:00 Service Pack 2

ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Doug\Desktop\"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

C:\WINDOWS\system32\bszip.dll

C:\WINDOWS\system32\kdwbc.exe

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))

 

2007-05-08 08:52 <DIR> d-------- C:\Program Files\CCleaner

2007-04-22 22:06 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-04-22 22:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic

2007-04-22 22:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc

2007-04-22 11:16 <DIR> d-------- C:\Program Files\InterMute

2007-04-22 10:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-04-10 19:11 <DIR> d-------- C:\Program Files\DellSupport

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-04-26 21:54:33 -------- d-----w C:\DOCUME~1\Doug\APPLIC~1.\AdobeUM

2007-04-20 17:57:56 -------- d-----w C:\Program Files\Windows Media Connect 2

2007-04-20 17:56:49 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-19 19:50:26 -------- d-----w C:\DOCUME~1\Doug\APPLIC~1.\SiteAdvisor

2007-04-19 05:04:54 -------- d-----w C:\Program Files\SiteAdvisor

2007-04-11 00:25:51 -------- d--h--w C:\DOCUME~1\Doug\APPLIC~1.\Gtek

2007-03-24 13:34:41 -------- d-----w C:\Program Files\McAfee

2007-03-20 23:41:17 -------- d-----w C:\Program Files\Palm

2007-03-20 23:37:53 -------- d-----w C:\Program Files\Microsoft ActiveSync

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-11 16:27:16 -------- d-----w C:\Program Files\McAfee.com

2007-03-11 16:16:37 -------- d-----w C:\Program Files\Common Files\McAfee

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

"{089FD14D-132B-48FC-8861-0048AE113215}"="C:\Program Files\SiteAdvisor\6066\SiteAdv.dll"

"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"

"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\system32\dla\tfswshx.dll"

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"

"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"="c:\program files\mcafee\virusscan\scriptcl.dll"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"

"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""

"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"

"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"

@=""

"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"

"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"

"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6066\\SiteAdv.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages msv1_0\0\0

Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages scecli\0\0

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

 

 

 

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter HTTPFilter\0\0

LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService DnsCache\0\0

DcomLaunch DcomLaunch\0TermService\0\0

rpcss RpcSs\0\0

imgsvc StiSvc\0\0

termsvcs TermService\0\0

WudfServiceGroup WUDFSvc\0\0

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Rachel).job

C:\WINDOWS\tasks\McDefragTask.job

C:\WINDOWS\tasks\McQcTask.job

 

********************************************************************

 

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-08 09:06:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

Completion time: 2007-05-08 9:08:45 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-08 09:08

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Tuesday, May 08, 2007 11:21:08 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 8/05/2007

Kaspersky Anti-Virus database records: 315467

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

 

Scan Statistics:

Total number of scanned objects: 82175

Number of viruses found: 1

Number of infected objects: 2 / 0

Number of suspicious objects: 0

Duration of the scan process: 01:44:14

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{3708290B-FAE6-46B7-8954-9BEA5ABFB6CB}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FAC817C9-15B6-4E6D-B6D1-1520E236D4C5}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Doug\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped

C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped

C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped

C:\Documents and Settings\Doug\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped

C:\Documents and Settings\Doug\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\hsperfdata_Doug\2940 Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\JET906A.tmp Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\me_0RfdFO Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\me_AUkpwOt0qnejrC3 Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\me_HxRrCnjBt Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\me_pHkfalF3JzM1oc9 Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temp\~ROMFN_00000CF0 Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Doug\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Doug\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped

C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\L0000069.FCS Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped

C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped

C:\Program Files\SimpleCenter\simplecenter.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\kdwbc.exe.vir Infected: Trojan.Win32.DNSChanger.iu skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP718\A0029862.exe Infected: Trojan.Win32.DNSChanger.iu skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP718\change.log Object is locked skipped

C:\WINDOWS\BWKDLogs\BWTargetInf.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_as7xGTlST0mJcHW Object is locked skipped

C:\WINDOWS\Temp\mcafee_JsvORgGNU7MI3zh Object is locked skipped

C:\WINDOWS\Temp\mcmsc_3GT6cjbh5rPZVI2 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_IlFmDSSvAzd8UEZ Object is locked skipped

C:\WINDOWS\Temp\mcmsc_j7QoU10E5ZiZBFS Object is locked skipped

C:\WINDOWS\Temp\mcmsc_VGN5n2XLXIH2axL Object is locked skipped

C:\WINDOWS\Temp\mcmsc_vmTsJkGRzF94oCP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

Share this post


Link to post
Share on other sites

Oops....forgot to add my updated HijackThis! log....here it is:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:28:50 AM, on 5/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Program Files\SimpleCenter\SimpleCenter.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\SiteAdvisor\6066\SAService.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Documents and Settings\Doug\Desktop\HijackThis.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - Startup: SimpleCenter.lnk = C:\Program Files\SimpleCenter\SimpleCenter.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.com/activex/HMAtchmt.ocx

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

Share this post


Link to post
Share on other sites

Hi Aquarock, :wave:

 

Things appear to have cleaned up nicely. :)

 

How are things running now? Any persistent problems or suspicious behaviour on your machine that I should know about?

Share this post


Link to post
Share on other sites

Hi Aquarock, :wave:

 

Things appear to have cleaned up nicely. :)

 

How are things running now? Any persistent problems or suspicious behaviour on your machine that I should know about?

 

 

It seems to be working properly now. I am assuming that those infected files shown by the Kaspersky scan were properly quarentined? Or do I need to run my virus scan or anything else to ensure everything is good?

 

Thanks again SOOO much Sempurna!!! :wave:

Share this post


Link to post
Share on other sites

Hi Aquarock, :wave:

 

You’re most welcome, Aquarock. I’m glad to hear that things are running better now. :)

 

No worries about what Kaspersky found. One was in the quarantine folder of ComboFix, and the other is an inactive system restore file. Both don’t pose any danger to your system.

 

Just some loose ends to tie up, and then we can let you go home. :)

 

To create a new system restore point:

  • Go to Start Menu -> All Programs -> Accessories -> System Tools -> System Restore.
  • Click Create A Restore Point then click Next. Give it a name and then click Create.
  • When the confirmation screen shows the restore point has been created click Close.
  • Then go to Start -> Run and type CLEANMGR.
  • Disk Cleanup will open and start calculating the amount of space that can be freed.
  • Once that’s finished it will open the Disk Cleanup options screen, click the More Options tab.
  • Click Clean Up in the System Restore section and choose Yes at the confirmation window.

This will remove all previous restore points except the newly created one.

 

 

NEXT:

 

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:

  • CLICK HERE to download the offline installer.
    • Select Java Runtime Environment (JRE) 6u1 and click the Download button to the right.
    • Check the box that says Accept License Agreement.
    • Click on the link to download Windows Offline Installation, Multi-language.
    • Save the file to your desktop.

    [*]Next, uninstall your currently installed version from Add/Remove Programs.

    [*]If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.

    [*]Examples of older versions in Add/Remove Programs:

    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2

    [*]Reboot your system.

    [*]Install the new version by double-clicking on the file you downloaded.

 

NEXT:

 

Everything looks great --- your HijackThis log appears to be clean. :)

 

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
     
     
  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
     
     
  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.
     
     
  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!
     
     
  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!
     
     
  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!
     
     
  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!
     
     
  • AVG Anti-Spyware
    This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
    User Manual: How to use!
     
     
  • SUPERAntiSpyware
    This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
    Quick Guide: How to use!

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

 

Hopefully this should take care of your problems! Good luck! :D

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0