Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My computer is in trouble!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My computer is in trouble!

Unread postby Jlitening » March 8th, 2008, 7:57 pm

Hello there! Early this morning while I was websurfing, my computer suddenly froze, then I started getting the popup boxes telling me Malicious Action Blocked, Spyware Doctor has blocked an application trying to access the registry - mgmrwmrv.exe. I've run Spyware Doctor several times already but even after cleaning, the popups keep flooding in. I've also gotten a lot of Windows Security System warnings telling me my system may be infected with malware, and links me to a site to sell me other antispyware products. I also have a yellow triangle in the tray that pops up with messages about my system being infected with spyware. And now I can't use the task manager because it's been disabled (automatically?) by the administrator.
I saw a similar thread posted earlier, but since I'm on a different computer I thought I should post my hijackthis log before I started following the other instructions. I've never fixed a spyware issue on the computer so I'm a little shy about diving right in. Thanks in advance for your help!!

Here's my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:25 AM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\DOCUME~1\DOUGAL~1\LOCALS~1\Temp\bb3.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\Program Files\Bat\X_Bat.exe
C:\WINDOWS\cbuxkjan.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {eaba7a44-1dd1-11b2-aa08-ca70238b6543} - C:\WINDOWS\idynslep.dll
O2 - BHO: XBTB03021 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\My.Freeze Toolbar\freeze_news_us.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [zyjexgvy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zyjexgvy.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7729 bytes
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm
Advertisement
Register to Remove

Re: My computer is in trouble!

Unread postby dan12 » March 9th, 2008, 11:51 am

Hi,Jlitening , and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby dan12 » March 9th, 2008, 12:27 pm

Hi,Jlitening , You were very wise in not diving in. The fixes you see in other threads or boards for that matter are put together by the helpers for the individual machine they are giving assistance to. :)

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 9th, 2008, 7:02 pm

Thanks so much for agreeing to help me. I downloaded the program you mentioned and here is the log:

ComboFix 08-03-09.1 - Doug Allen 2008-03-09 15:51:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT -7:00]
Running from: C:\Documents and Settings\Doug Allen\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\zyjexgvy.dll
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\idynslep.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 15:53 . 2008-03-09 15:53 <DIR> d-------- C:\Program Files\seekmo
2008-03-09 15:53 . 2008-03-09 15:53 17,664 --a------ C:\WINDOWS\updatetc.exe
2008-03-09 15:53 . 2008-03-09 15:53 13,824 --a------ C:\WINDOWS\salm.exe
2008-03-09 15:53 . 2008-03-09 15:53 13,312 --a------ C:\WINDOWS\saiemod.dll
2008-03-09 15:53 . 2008-03-09 15:53 11,520 --a------ C:\WINDOWS\180ax.exe
2008-03-09 15:31 . 2008-03-09 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-09 13:03 . 2008-03-09 13:03 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-09 13:03 . 2008-03-09 13:03 <DIR> d-------- C:\Program Files\zango
2008-03-09 13:03 . 2008-03-09 13:03 <DIR> d-------- C:\Program Files\180solutions
2008-03-09 13:03 . 2008-03-09 13:03 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-09 13:03 . 2008-03-09 13:03 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 13:03 . 2008-03-09 13:03 32,256 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-03-09 13:03 . 2008-03-09 13:03 28,160 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-03-09 13:03 . 2008-03-09 13:03 15,872 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-09 13:02 . 2008-03-09 13:02 15,872 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 12:00 . 2008-03-08 12:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 08:56 . 2008-03-08 08:56 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 08:56 . 2008-03-09 13:03 <DIR> d-------- C:\Program Files\stc
2008-03-08 08:41 . 2008-03-08 08:41 <DIR> d-------- C:\WINDOWS\njuqccse
2008-03-08 08:41 . 2008-03-08 22:27 <DIR> d-------- C:\Program Files\Bat
2008-03-08 08:41 . 2008-03-08 08:41 295,819 --a------ C:\WINDOWS\system32\LB4D0.tmp
2008-03-08 08:41 . 2008-03-08 08:41 229,532 --a------ C:\WINDOWS\system32\LA5AD.tmp
2008-03-08 08:41 . 2008-03-08 08:41 177,664 --a------ C:\WINDOWS\sryfmzcb.dll
2008-03-08 08:41 . 2008-03-08 08:41 88,593 --a------ C:\WINDOWS\mlqpexyz.exe
2008-03-08 08:41 . 2008-03-08 08:41 88,587 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-08 08:41 . 2008-03-08 08:41 43,008 --a------ C:\WINDOWS\cbuxkjan.exe
2008-03-08 08:41 . 2008-03-08 08:41 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-02 21:12 . 2008-03-08 08:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 21:12 . 2008-03-02 21:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-21 19:49 . 2008-02-21 19:49 <DIR> d-------- C:\Program Files\My.Freeze Toolbar
2008-02-21 19:49 . 2008-02-21 19:49 <DIR> d-------- C:\Program Files\Freeze.com
2008-02-21 19:49 . 2008-02-23 18:22 <DIR> d-------- C:\Program Files\Free Offers from Freeze.com
2008-02-18 04:51 . 2008-03-09 13:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-18 04:10 . 2008-03-06 17:29 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-18 04:10 . 2008-02-18 04:10 <DIR> d-------- C:\Documents and Settings\Doug Allen\Application Data\PC Tools
2008-02-18 04:10 . 2008-02-18 04:11 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-18 04:10 . 2008-02-18 04:11 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-18 04:10 . 2007-10-18 01:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-18 04:10 . 2007-10-18 01:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 04:06 . 2005-09-23 09:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 22:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-09 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-09 02:06 --------- d-----w C:\Program Files\Common Files\aol
2008-02-09 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-03 20:02 --------- d-----w C:\Program Files\The Learning Company
2008-02-03 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 19:11 --------- d-----w C:\Program Files\Scholastic
2008-02-03 19:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 05:01 --------- d-----w C:\Documents and Settings\Doug Allen\Application Data\Viewpoint
2008-01-29 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-18 06:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 04:47 --------- d-----w C:\Program Files\Disney Interactive
2008-01-16 00:35 10,920 ----a-w C:\aolconnfix.exe
2008-01-16 00:35 --------- d-----w C:\Documents and Settings\Doug Allen\Application Data\AOL
2008-01-10 03:52 --------- d-----w C:\Program Files\sz8034_6
2008-01-10 03:52 --------- d-----w C:\Documents and Settings\Doug Allen\Application Data\School Zone Preferences
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 22:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2007-10-27 10:44 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 18:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 02:40 124656]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-15 13:01 5513216]
"HostManager"="C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe" [2007-05-25 10:16 42032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-04 13:14 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe" [2007-05-22 18:39 32881]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 18:24 1065800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1199417669\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2008-01-03 13:32]

*Newly Created Service* - ATWPKT2
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 15:53:19
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 15:54:07
ComboFix-quarantined-files.txt 2008-03-09 22:54:03
.
2008-02-14 11:01:48 --- E O F ---
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 9th, 2008, 9:04 pm

Hi, Jlitening ,

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
Additional info:Here
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Your call.

___________________

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information.
CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'



Delete bad programs
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present). It could be that they have a space or something between it , but it has to look like it:
  • zango
    180solutions
    80searchassistant
    My.Freeze Toolbar
    Freeze.com
    Free Offers from Freeze.com
    Bat
    seekmo



**Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::

    File::
C:\WINDOWS\updatetc.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\apphelp32.dll

Folder::
C:\Program Files\seekmo
C:\Program Files\zango
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\FLEOK
C:\Program Files\My.Freeze Toolbar
C:\Program Files\Freeze.com
C:\Program Files\Free Offers from Freeze.com

DirLook::
C:\Program Files\sz8034_6


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


-----------------------

Download and Install CCleaner
  • Download CCleaner from here . Choose the Slim version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish

-------------------------------

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

----------------------------------

Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

-------------------------------

: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • New highjackthis log

Thanks dan

edit made to the bad programs to move.
Last edited by dan12 on March 10th, 2008, 5:59 am, edited 2 times in total.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 9th, 2008, 9:56 pm

Hi Dan12,

I deleted the Viewpoint Media Player, and when I went to start, control panel, add/remove programs I didn't see anything specifically with c:// on the list (bad programs) though there were icons named Freeze.com toolbar and bat under currently installed programs. I then clicked on Folders in control panel and looked under local disc (C:) and in the list of program files were these files (written as I see them): two of 180searchassistant, 180solutions, bat, freeze.com, free offers from freeze.com, my.freeze toolbar, seekmo and zango. Should I uninstall the two currently installed programs, then go into the list under (C:) and delete the ones I mentioned above? Or is there some other place I should be looking for these?

Sorry for the 20 questions - I just want to make sure I'm doing this correctly. Thanks once again for your help!

Rhonda (Jlitening)
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 10th, 2008, 5:52 am

Just uninstall those that you see in add and remove. If you can't see the others I mentioned don't worry, I will do that manually for you, saves you going looking .
just let me know which you were able to uninstall via add and remove before you continue with the rest of the fix as I may need to alter the cf script to take into account the programs your not seeing.
dan :)

edit: these are what were looking for I think the file path confused you.
zango
180solutions
180searchassistant
My.Freeze Toolbar
Freeze.com
Free Offers from Freeze.com
Bat
seekmo
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 10th, 2008, 9:04 pm

Thank you for your patience. :-)
I uninstalled Bat and Freeze.com toolbar as those were the only ones you mentioned that were listed in the add/remove programs location. The computer seems to be getting worse in some ways - it's running really, really slow and when I try to read my aol e-mail I keep getting a debugger popup. I ran my Spyware Doctor and have new spyware on the list that I didn't see before, and that doesn't get removed by trying to fix it with the Spyware Doctor software.

I'm ready to try your next set of instructions, whenever you're ready.

Thanks again!
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 10th, 2008, 11:03 pm

Do you have the following from my last Instruction:
Combofix log txt
New highjackthis log
Uninstall list
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 11th, 2008, 1:17 am

I pasted the text into notepad and dragged it into the combofix program but I got the message "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
There's only one user/named account (this one) and it's listed as an administrative account, so I don't understand why I can't perform this task.

Shall I move on to the next steps, or do I need to do this in the order you listed?

Thanks.....
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby Jlitening » March 11th, 2008, 2:45 am

Here is the malwarebytes log and the Uninstall list, and I will run and post a new hijackthis log. I couldn't do the Combofix log txt because of permissions.
Malwarebytes' Anti-Malware 1.08
Database version: 476

Scan type: Full Scan (C:\|)
Objects scanned: 58117
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{97bb8f9a-037b-415b-82cf-150eb83ee9e9} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d15cc8ae-fbb0-4bc3-baea-ba4108f34388} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\mgmrwmrv.exe -> Quarantined and deleted successfully.



Adobe Flash Player ActiveX
Adobe Reader 8.1.1
AOL Toolbar 5.0
AOL Uninstaller (Choose which Products to Remove)
Arthur's Kindergarten
Blue's Reading Time Activities
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
Clifford Phonics
Disney's Magic Artist Deluxe
Disney's Tigger Too
First Thousand Words
Frosty Games
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Java 2 Runtime Environment, SE v1.4.2_15
JS World Kindergarten
JSWorldKGMain
JSWPFCom
JSWPFGradeK
LiveUpdate 3.0 (Symantec Corporation)
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Office Professional Edition 2003
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
QuickTime
Scholastic's I SPY Junior Puppet Playhouse
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Spyware Doctor 5.1
Symantec AntiVirus
Transition Math K-1
Uninstall AOL Emergency Connect Utility 1.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:42 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/ ... s-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6909 bytes
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby Jlitening » March 11th, 2008, 3:17 am

One thing I forgot to mention - I still cannot use my task manager. Whenever I try to end or check on an application the dialog box tells me it's been disabled by the administrator. Is there some way I can get this function back?

Also I still have big yellow text on my desktop that says "Warning. Spyware has been detected on your PC." etc. with a link to scan the PC for spyware.

Although my browser seems to be somewhat unstable, the computer is running considerably faster.
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 11th, 2008, 4:24 am

Can you try that part of the cf script again as I detailed.
Let me know if you still have problems :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 11th, 2008, 10:39 am

Whew - it worked this time.

ComboFix 08-03-09.1 - Doug Allen 2008-03-11 7:28:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511 [GMT -7:00]
Running from: C:\Documents and Settings\Doug Allen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doug Allen\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\180ax.exe
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\updatetc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\Free Offers from Freeze.com
C:\Program Files\Free Offers from Freeze.com\control.txt
C:\Program Files\Free Offers from Freeze.com\games_icon2.ico
C:\Program Files\Free Offers from Freeze.com\Ringtones.ico
C:\Program Files\Free Offers from Freeze.com\wfallsaw.ico
C:\Program Files\Freeze.com
C:\Program Files\Freeze.com\Frosty Games\data\butt.swf
C:\Program Files\Freeze.com\Frosty Games\data\DefaultExit.html
C:\Program Files\Freeze.com\Frosty Games\data\DefaultFree.html
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_freeintro_08.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_01.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_02.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_03.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_04.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_05.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_06.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_07.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_09.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_10.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_11.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_12.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_13.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_14.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_15.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_16.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_17.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_18.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_19.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_20.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_21.jpg
C:\Program Files\Freeze.com\Frosty Games\data\deffreeimg_v2\frstygm_intro_22.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_01.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_02.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_03.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_04.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_05.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_06.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_07.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_08.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_09.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_10.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_11.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_12.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_13.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_14.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_15.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_16.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_17.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_18.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_19.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_20.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_21.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_22.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_23.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_24.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_25.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_26.jpg
C:\Program Files\Freeze.com\Frosty Games\data\exitimg_v2\ftycr_27.jpg
C:\Program Files\Freeze.com\Frosty Games\data\frosty500x350.html
C:\Program Files\Freeze.com\Frosty Games\data\frosty728x90.html
C:\Program Files\Freeze.com\Frosty Games\data\games.txt
C:\Program Files\Freeze.com\Frosty Games\data\left_menu.swf
C:\Program Files\Freeze.com\Frosty Games\data\offlinefrosty_v2\050930_728x90_generic_mole_hole.jpg
C:\Program Files\Freeze.com\Frosty Games\data\offlinefrosty_v2\500x350.gif
C:\Program Files\Freeze.com\Frosty Games\data\offlinefrosty500x350.html
C:\Program Files\Freeze.com\Frosty Games\data\offlinefrosty728x90.html
C:\Program Files\Freeze.com\Frosty Games\data\OnlineDefaultFree.html
C:\Program Files\Freeze.com\Frosty Games\FrostyGames.exe
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\chicken_gamedata.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level0_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level1_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level2_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level3_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level4_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level5_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level6_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level7_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level8_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\game_data_level9_data.txt
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\Mayan_Mask_Mayhem.swf
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\Smiley_Chomp.swf
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\Spot_The_Difference_Education.swf
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\Spot_The_Difference_Summer.swf
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\Spot_The_Difference_Thanksgiving.swf
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\Swap_A_Smiley.swf
C:\Program Files\Freeze.com\Frosty Games\games\Classic_Arcade\Why_Did_The_Chicken_Cross_The_Road.swf
C:\Program Files\Freeze.com\Frosty Games\icon_desk_snowflake_v1.ico
C:\Program Files\Freeze.com\Frosty Games\INSTALL.LOG
C:\Program Files\Freeze.com\Frosty Games\license.txt
C:\Program Files\Freeze.com\Frosty Games\undata.exe
C:\Program Files\Freeze.com\Frosty Games\undata.ini
C:\Program Files\Freeze.com\Frosty Games\UNINSTAL.EXE
C:\Program Files\My.Freeze Toolbar
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-10 23:17 . 2008-03-10 23:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 23:17 . 2008-03-10 23:17 <DIR> d-------- C:\Documents and Settings\Doug Allen\Application Data\Malwarebytes
2008-03-10 23:17 . 2008-03-10 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 22:59 . 2008-03-10 22:59 <DIR> d-------- C:\Program Files\CCleaner
2008-03-10 00:03 . 2008-03-10 00:03 26,368 --a------ C:\WINDOWS\didduid.ini
2008-03-09 20:19 . 2008-03-09 20:19 <DIR> d-------- C:\Program Files\MetaStream
2008-03-08 12:00 . 2008-03-08 12:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 08:56 . 2008-03-08 08:56 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 08:56 . 2008-03-10 22:30 <DIR> d-------- C:\Program Files\stc
2008-03-08 08:41 . 2008-03-08 08:41 <DIR> d-------- C:\WINDOWS\njuqccse
2008-03-08 08:41 . 2008-03-08 08:41 295,819 --a------ C:\WINDOWS\system32\LB4D0.tmp
2008-03-08 08:41 . 2008-03-08 08:41 229,532 --a------ C:\WINDOWS\system32\LA5AD.tmp
2008-03-08 08:41 . 2008-03-08 08:41 177,664 --a------ C:\WINDOWS\sryfmzcb.dll
2008-03-08 08:41 . 2008-03-08 08:41 88,593 --a------ C:\WINDOWS\mlqpexyz.exe
2008-03-08 08:41 . 2008-03-08 08:41 43,008 --a------ C:\WINDOWS\cbuxkjan.exe
2008-03-02 21:12 . 2008-03-08 08:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 21:12 . 2008-03-02 21:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-18 04:51 . 2008-03-11 04:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-18 04:10 . 2008-03-11 04:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-18 04:10 . 2008-02-18 04:10 <DIR> d-------- C:\Documents and Settings\Doug Allen\Application Data\PC Tools
2008-02-18 04:10 . 2008-02-18 04:11 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-18 04:10 . 2008-02-18 04:11 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-18 04:10 . 2007-10-18 01:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-18 04:10 . 2007-10-18 01:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 04:06 . 2005-09-23 09:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-09 22:58 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-09 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-09 02:06 --------- d-----w C:\Program Files\Common Files\aol
2008-02-09 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-03 20:02 --------- d-----w C:\Program Files\The Learning Company
2008-02-03 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 19:11 --------- d-----w C:\Program Files\Scholastic
2008-02-03 19:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 05:01 --------- d-----w C:\Documents and Settings\Doug Allen\Application Data\Viewpoint
2008-01-18 06:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 04:47 --------- d-----w C:\Program Files\Disney Interactive
2008-01-16 00:35 10,920 ----a-w C:\aolconnfix.exe
2008-01-16 00:35 --------- d-----w C:\Documents and Settings\Doug Allen\Application Data\AOL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\sz8034_6 ----

2008-01-09 20:59 1298 --a------ C:\Program Files\sz8034_6\8034_6.ini
2008-01-09 20:52 2894 --a------ C:\Program Files\sz8034_6\uninstal.log
2005-08-30 05:30 1298 --a------ C:\Program Files\sz8034_6\8000_9.ini
2005-08-30 05:29 806912 --a------ C:\Program Files\sz8034_6\8000_9.exe
2005-08-23 10:29 28620 --a------ C:\Program Files\sz8034_6\Read Me.rtf
2005-08-23 06:58 1118208 --a------ C:\Program Files\sz8034_6\8034_6.exe
2005-04-15 15:15 97 --a------ C:\Program Files\sz8034_6\Product Registration.url
2005-04-15 15:15 75 --a------ C:\Program Files\sz8034_6\Tech Support.url
2005-04-15 15:15 53 --a------ C:\Program Files\sz8034_6\School Zone Publishing.url


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2007-10-27 10:44 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 18:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 02:40 124656]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-15 13:01 5513216]
"HostManager"="C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe" [2007-05-25 10:16 42032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-04 13:14 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe" [2007-05-22 18:39 32881]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 18:24 1065800]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1199417669\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2008-01-03 13:32]

*Newly Created Service* - APPMGMT
*Newly Created Service* - ATWPKT2
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 07:31:20
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-11 7:32:16
ComboFix-quarantined-files.txt 2008-03-11 14:32:11
ComboFix2.txt 2008-03-09 22:54:08
.
2008-02-14 11:01:48 --- E O F ---
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 11th, 2008, 7:08 pm

I'd like you to check some files for malware.
C:\WINDOWS\sryfmzcb.dll
C:\WINDOWS\mlqpexyz.exe
C:\WINDOWS\cbuxkjan.exe
C:\WINDOWS\njuqccse
C:\WINDOWS\didduid.ini

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.

dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware