Free Malware Removal Forum

[kennaortega]

... Because my computer is running much better, but still much slower than prior to my infection with some Trojan that I still don't know the name of.
Anyway, I have XP and Office 2003 and I am on a wireless system at a hotel in San Diego. Some of my symptoms were popups, fake system infection warnings, etc. My AVAST was useless against it. It wouldn't allow AVG to run at all. And I have barely been able to use Microsoft LIVE ONE CARE against it, which seems to have at least partially done the job.
I think it involved OFFICE so I had disabled it at one point and that's when I started to make progress with LIvE ONE CARE. LIVE ONE CARE wants me to install 8 OFFICE vulnerability updates but although I have tried to about 15 times it still won't let me. As well, although it is running far better, I still have symptoms.

So without further ado, here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:31:33 AM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HiJackThis_v2.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... ase370.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://us.mg2.mail.yahoo.com/ya/downloa ... p;inline=1

--
End of file - 3808 bytes

[Rodav]

Hello! and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

[Rodav]

Step 1:
You are running an older version of HijackThis.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.

• Download HJTInstall.exe to your Desktop.
• Doubleclick HJTInstall.exe to install it.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Do not scan with it yet, you can close it at this point.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.


Step 2:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

[Rodav]

Hi kennaortega, do you still need any assistance?

[Elrond]

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Elrond