Jump to content


Photo

Wareout Infection/Web Search Redirection Assistance


  • This topic is locked This topic is locked
9 replies to this topic

#1 Aquarock

Aquarock

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 22 April 2007 - 12:50 PM

I have run all the programs listed on the "Hijacked Users-Start here, Seriously-READ THIS POST FIRST" post for Coolwebsearch, shredder, Spybot, and Trend Micro but I am still being redirected to numerous websites after clicking on the links provided through a Google, Yahoo, or MSN type search. I'm running WinXP, and IE7.

One of the IPs I am being bounced off of is 67.29.139.220....so I also read the post for fixing this done by Mr.NiceGuy on Nov. 18th, 2006 (sinec he listed that same IP) as it seems I am having the same redirection issue, but the fixes mentioned are not working for me.

Here is my HijackThis! log....can anyone help me figure this out as it would be greatly appreciated.

_____________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 10:25:07 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\SimpleCenter\SimpleCenter.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doug\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [{D65E53CB-26AA-4776-A0F7-1AF89B1EAF02}] D:\FpcSetup.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SimpleCenter.lnk = C:\Program Files\SimpleCenter\SimpleCenter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 25 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 waterfalls

waterfalls

    Malware Exorcist

  • Retired Staff
  • PipPipPipPip
  • 359 posts

Posted 01 May 2007 - 12:15 AM

Hi -

Thank you for your patience.

However, your HijackThis log was posted on April 22nd, so please post a new HijackThis log.
Take only memories, leave nothing but footprints.
 

#4 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 01 May 2007 - 12:25 AM

Hi Aquarock,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, hereís what we do first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O4 - HKLM\..\Run: [{D65E53CB-26AA-4776-A0F7-1AF89B1EAF02}] D:\FpcSetup.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini
    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp


  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please download and save F-Secure BlackLight to your desktop.
  • Click the I Accept button at the bottom of the page.
  • Download the Blacklight Beta graphical user interface version.
  • Double-click the fsbl.exe program that you downloaded to run BlackLight.
  • Click Scan -> Next.
  • After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose to rename any items yet! I need to see the log first, because legitimate items can also be present there...
  • A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
  • Please post the contents of the log in your next reply.

NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.
CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Kaspersky Online Scanner:
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from OTMoveIt.
  • The log from the BlackLight scan.
  • The log from the ComboFix scan.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#5 Aquarock

Aquarock

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 08 May 2007 - 11:40 AM

Hi Aquarock,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, hereís what we do first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O4 - HKLM\..\Run: [{D65E53CB-26AA-4776-A0F7-1AF89B1EAF02}] D:\FpcSetup.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Thanks Sempurna! While it took a very long time to run everything...no problems occured with your directions. Here are all my log files as you requested:



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini
    C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp


  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please download and save F-Secure BlackLight to your desktop.
  • Click the I Accept button at the bottom of the page.
  • Download the Blacklight Beta graphical user interface version.
  • Double-click the fsbl.exe program that you downloaded to run BlackLight.
  • Click Scan -> Next.
  • After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose to rename any items yet! I need to see the log first, because legitimate items can also be present there...
  • A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
  • Please post the contents of the log in your next reply.
NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.
CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Kaspersky Online Scanner:
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from OTMoveIt.
  • The log from the BlackLight scan.
  • The log from the ComboFix scan.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.


Thanks Sempurna! Here are my log files as you requested. Took awhile, but no problems occured while running everything.

OTMoveIT Results:

File/Folder C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp\settings.ini not found.
File/Folder C:\DOCUME~1\Doug\LOCALS~1\Temp\GLF25.tmp not found.

Created on 05/08/2007 08:35:13

F-Secure Blacklight Results:

05/08/07 08:38:00 [Info]: BlackLight Engine 1.0.61 initialized
05/08/07 08:38:00 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/08/07 08:38:01 [Note]: 7019 4
05/08/07 08:38:01 [Note]: 7005 0
05/08/07 08:38:04 [Note]: 7006 0
05/08/07 08:38:05 [Note]: 7011 3904
05/08/07 08:38:05 [Note]: 7026 0
05/08/07 08:38:05 [Note]: 7026 0
05/08/07 08:38:24 [Note]: FSRAW library version 1.7.1021
05/08/07 08:46:47 [Info]: Hidden file: c:\WINDOWS\system32\kdwbc.exe
05/08/07 08:46:47 [Note]: 7002 32
05/08/07 08:46:47 [Note]: 7003 1
05/08/07 08:46:47 [Note]: 10002 1
05/08/07 08:49:44 [Note]: 7007 0

Combo Fix Results:

"Doug" - 2007-05-08 8:57:00 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Doug\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\kdwbc.exe

((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))

2007-05-08 08:52 <DIR> d-------- C:\Program Files\CCleaner
2007-04-22 22:06 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-22 22:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-04-22 22:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-04-22 11:16 <DIR> d-------- C:\Program Files\InterMute
2007-04-22 10:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-10 19:11 <DIR> d-------- C:\Program Files\DellSupport

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-26 21:54:33 -------- d-----w C:\DOCUME~1\Doug\APPLIC~1.\AdobeUM
2007-04-20 17:57:56 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-20 17:56:49 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-19 19:50:26 -------- d-----w C:\DOCUME~1\Doug\APPLIC~1.\SiteAdvisor
2007-04-19 05:04:54 -------- d-----w C:\Program Files\SiteAdvisor
2007-04-11 00:25:51 -------- d--h--w C:\DOCUME~1\Doug\APPLIC~1.\Gtek
2007-03-24 13:34:41 -------- d-----w C:\Program Files\McAfee
2007-03-20 23:41:17 -------- d-----w C:\Program Files\Palm
2007-03-20 23:37:53 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-11 16:27:16 -------- d-----w C:\Program Files\McAfee.com
2007-03-11 16:16:37 -------- d-----w C:\Program Files\Common Files\McAfee
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{089FD14D-132B-48FC-8861-0048AE113215}"="C:\Program Files\SiteAdvisor\6066\SiteAdv.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\system32\dla\tfswshx.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"="c:\program files\mcafee\virusscan\scriptcl.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
@=""
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Rachel).job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 09:06:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************
Completion time: 2007-05-08 9:08:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-08 09:08

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 08, 2007 11:21:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/05/2007
Kaspersky Anti-Virus database records: 315467
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 82175
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:44:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{3708290B-FAE6-46B7-8954-9BEA5ABFB6CB}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FAC817C9-15B6-4E6D-B6D1-1520E236D4C5}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Doug\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Doug\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Doug\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\Doug\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\hsperfdata_Doug\2940 Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\JET906A.tmp Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\me_0RfdFO Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\me_AUkpwOt0qnejrC3 Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\me_HxRrCnjBt Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\me_pHkfalF3JzM1oc9 Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temp\~ROMFN_00000CF0 Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Doug\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Doug\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\L0000069.FCS Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\SimpleCenter\simplecenter.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kdwbc.exe.vir Infected: Trojan.Win32.DNSChanger.iu skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP718\A0029862.exe Infected: Trojan.Win32.DNSChanger.iu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP718\change.log Object is locked skipped
C:\WINDOWS\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_as7xGTlST0mJcHW Object is locked skipped
C:\WINDOWS\Temp\mcafee_JsvORgGNU7MI3zh Object is locked skipped
C:\WINDOWS\Temp\mcmsc_3GT6cjbh5rPZVI2 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_IlFmDSSvAzd8UEZ Object is locked skipped
C:\WINDOWS\Temp\mcmsc_j7QoU10E5ZiZBFS Object is locked skipped
C:\WINDOWS\Temp\mcmsc_VGN5n2XLXIH2axL Object is locked skipped
C:\WINDOWS\Temp\mcmsc_vmTsJkGRzF94oCP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 Aquarock

Aquarock

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 08 May 2007 - 11:43 AM

Oops....forgot to add my updated HijackThis! log....here it is:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:50 AM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\SimpleCenter\SimpleCenter.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Doug\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: SimpleCenter.lnk = C:\Program Files\SimpleCenter\SimpleCenter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

#7 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 May 2007 - 08:24 AM

Hi Aquarock, :wave:

Things appear to have cleaned up nicely. :)

How are things running now? Any persistent problems or suspicious behaviour on your machine that I should know about?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#8 Aquarock

Aquarock

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 09 May 2007 - 08:41 AM

Hi Aquarock, :wave:

Things appear to have cleaned up nicely. :)

How are things running now? Any persistent problems or suspicious behaviour on your machine that I should know about?



It seems to be working properly now. I am assuming that those infected files shown by the Kaspersky scan were properly quarentined? Or do I need to run my virus scan or anything else to ensure everything is good?

Thanks again SOOO much Sempurna!!! :wave:

#9 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 May 2007 - 11:56 AM

Hi Aquarock, :wave:

Youíre most welcome, Aquarock. Iím glad to hear that things are running better now. :)

No worries about what Kaspersky found. One was in the quarantine folder of ComboFix, and the other is an inactive system restore file. Both donít pose any danger to your system.

Just some loose ends to tie up, and then we can let you go home. :)

To create a new system restore point:
  • Go to Start Menu -> All Programs -> Accessories -> System Tools -> System Restore.
  • Click Create A Restore Point then click Next. Give it a name and then click Create.
  • When the confirmation screen shows the restore point has been created click Close.
  • Then go to Start -> Run and type CLEANMGR.
  • Disk Cleanup will open and start calculating the amount of space that can be freed.
  • Once thatís finished it will open the Disk Cleanup options screen, click the More Options tab.
  • Click Clean Up in the System Restore section and choose Yes at the confirmation window.
This will remove all previous restore points except the newly created one.


NEXT:

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:
  • CLICK HERE to download the offline installer.
    • Select Java Runtime Environment (JRE) 6u1 and click the Download button to the right.
    • Check the box that says Accept License Agreement.
    • Click on the link to download Windows Offline Installation, Multi-language.
    • Save the file to your desktop.
  • Next, uninstall your currently installed version from Add/Remove Programs.
  • If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
  • Examples of older versions in Add/Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Reboot your system.
  • Install the new version by double-clicking on the file you downloaded.

NEXT:

Everything looks great --- your HijackThis log appears to be clean. :)

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.

  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.

  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!

  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!

  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!

  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!

  • AVG Anti-Spyware
    This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
    User Manual: How to use!

  • SUPERAntiSpyware
    This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
    Quick Guide: How to use!
Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#10 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 11 June 2007 - 04:42 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button