Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help Hijack log posted (this replaces post from 12-26

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 29th, 2008, 12:12 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:06, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269025828
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbab ... player.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejew ... er_v10.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 10651 bytes
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm
Advertisement
Register to Remove

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby jmw3 » December 29th, 2008, 12:23 pm

Welcome sethro
I'm having a look at your log/s now. Please give me a little time to get back to you with instructions.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • Continue to respond to this thread until I give you the All Clean!
Thanks

I'd also like to see a list of installed programs so please do this:
Create an Uninstall List
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button
  • Click on the Save list... button and specify where you would like to save this file
  • When you press the Save button a notepad will open with the contents of that file
  • Copy and paste the contents of that notepad here in your next reply
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 29th, 2008, 5:40 pm

2Wire Wireless Client
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 7.0.9
Adobe Shockwave Player 11
Amazon Unbox Video
AOLIcon
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ArcSoft TotalMedia Backup & Record
ATI Control Panel
ATI Display Driver
Big Fish Games Client
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Cornice 0.6.1
Delicious Add-on for Internet Explorer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Support 3.2
Design Manager
Digital Content Portal
Digital Line Detect
Diner Dash (remove only)
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
ESPNMotion
Games, Music, & Photos Launcher
Google Toolbar for Internet Explorer
Hidden Expedition Titanic (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart All-In-One Software 8.0
HP Photosmart Essential
HP Product Assistant
HP Product Detection
HP Solution Center 8.0
HP Update
HPSSupply
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
Learn2 Player (Uninstall Only)
MCU
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works
MobileMe Control Panel
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Mystery Case Files - Prime Suspects (remove only)
Mystery Case Files - Ravenhearst (remove only)
Mystery Case Files: Return to Ravenhearst ™
NetWaiting
NetZeroInstallers
New York Times - Times Reader
Nikon Message Center
OpenOffice.org Installer 1.0
PictureProject
PictureProject In Touch Downloader 1.0
PowerDVD 5.1
QuickTime
Quilt Design Wizard
RealArcade
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SBC Yahoo! DSL Home Networking Installer
SCRABBLE
SearchAssist
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shape Shifter
Shockwave
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Super Collapse! Puzzle Gallery 3
Super Collapse! Puzzle Gallery 4
Travelogue 360: Paris
Trivial Pursuit Digital Choice v1.2.5 for Windows XP/Vista
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
WildTangent Web Driver
Windows Imaging Component
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Install Manager
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby jmw3 » December 29th, 2008, 7:12 pm

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejew ... er_v10.cab


  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.


Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
    The ones that need to be closed/disabled are:
    Kaspersky Internet Security 2009
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a new HijackThis log
.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
Malwarebytes log
Combofix log
New HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 29th, 2008, 11:12 pm

Thanks for your help so far. I ran into a problem, following the directions above.

Did the first part fixing Hijack this entries succesfully, then downloaded Anti-Malware to desktop. When tried to run the install I got an error mesage: "Invalid Floating Point operation", follow a few moments later by "Application Error Exception EIInvalidOp in module mbam-setup.tmp at 778500F5"

That error message displayed multiple times.

I rebooted and tried again with same result.

Let me know what to do, thanks

--seth
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby jmw3 » December 29th, 2008, 11:21 pm

OK, just skip Malwarebytes's Anti-Malware for the time being. Just run Combofix following the instructions given.
Then post the Combofix log & a new HijackThis log.

Thanks
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 29th, 2008, 11:39 pm

ComboFix 08-12-29.02 - Kathleen Rosen 2008-12-29 22:30:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.537 [GMT -5:00]
Running from: c:\documents and settings\Kathleen Rosen\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\ADAPT_Installer.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\404Fix.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\dumphive.exe
c:\windows\system32\frmwrk32.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\test.ttt
c:\windows\system32\tmp.reg
c:\windows\system32\uniq.tll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-29 00:07 . 2008-12-29 00:07 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-29 00:07 . 2008-12-29 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-29 00:07 . 2008-12-29 22:13 4,408,352 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-29 00:07 . 2008-12-29 22:34 639,008 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-29 00:07 . 2008-12-29 00:07 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-29 00:07 . 2008-12-29 00:07 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-29 00:07 . 2008-12-29 22:13 35,520 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-29 00:07 . 2008-12-29 22:34 3,292 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-28 23:09 . 2008-12-28 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-28 16:09 . 2008-12-28 16:09 0 --a------ c:\documents and settings\Kathleen Rosen\Application Data\wklnhst.dat
2008-12-26 11:49 . 2008-12-26 11:49 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 11:09 . 2008-12-26 11:09 <DIR> d-------- C:\VundoFix Backups
2008-12-26 10:52 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-26 10:48 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-26 10:48 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-26 00:12 . 2008-12-28 22:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-26 00:12 . 2008-12-26 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-25 16:51 . 2008-12-28 22:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 16:51 . 2008-12-28 22:50 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\SUPERAntiSpyware.com
2008-12-25 16:39 . 2008-12-25 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 15:46 . 2008-12-25 15:46 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-25 15:46 . 2008-12-26 00:12 <DIR> d-------- C:\79a151d8d86cd075c935
2008-12-25 11:32 . 2008-12-26 00:12 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-25 01:37 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\dllcache\userinit.exe
2008-12-24 13:57 . 2008-12-24 13:57 <DIR> d-------- c:\program files\Trivial Pursuit Choice
2008-12-24 13:57 . 2008-12-24 13:57 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Hasbro
2008-12-18 17:01 . 2008-12-24 11:11 <DIR> d-------- c:\program files\Mystery Case Files - Return to Ravenhearst
2008-12-16 17:45 . 2008-12-16 17:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2008-12-16 16:49 . 2008-12-16 16:49 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-12 22:21 . 2008-12-12 22:22 <DIR> d-------- c:\documents and settings\seth rosen\Application Data\Move Networks
2008-12-12 22:15 . 2008-12-12 22:15 <DIR> d-------- c:\documents and settings\seth rosen\Application Data\Nikon
2008-12-12 13:26 . 2008-12-12 13:26 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Shape games
2008-12-10 17:34 . 2008-12-10 17:34 <DIR> d-------- c:\program files\bfgclient
2008-12-10 17:33 . 2008-12-20 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-07 08:55 . 2008-12-07 08:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-03 14:26 . 2008-12-03 14:26 <DIR> d-------- c:\program files\New York Times
2008-12-01 09:25 . 2008-12-01 09:25 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\GameHousev1005
2008-11-30 17:07 . 2008-11-30 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Gogii
2008-11-27 04:05 . 2008-12-24 22:29 79,548 --ah----- c:\windows\system32\mlfcache.dat
2008-11-18 19:10 . 2008-11-18 19:10 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\iWin
2008-11-17 21:53 . 2008-11-17 21:53 <DIR> d-------- c:\program files\iTunes
2008-11-17 21:53 . 2008-11-17 21:53 <DIR> d-------- c:\program files\iPod
2008-11-17 21:53 . 2008-11-17 21:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-17 21:51 . 2008-11-17 21:51 <DIR> d-------- c:\program files\QuickTime
2008-11-15 17:09 . 2008-11-15 17:09 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Talkback
2008-11-15 16:52 . 2008-11-15 16:52 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Eyeblaster
2008-11-12 03:07 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 03:07 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 20:00 . 2008-11-11 20:00 218,376 --a------ c:\windows\system32\klogon.dll
2008-11-11 19:58 . 2008-11-11 19:58 25,601 --a------ c:\windows\system32\drivers\klopp.dat
2008-11-11 13:56 . 2008-12-13 09:04 <DIR> d-------- c:\program files\GameHouse
2008-11-11 13:56 . 2008-12-01 09:25 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\GameHouse
2008-11-11 13:56 . 2008-11-11 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 03:16 --------- d-----w c:\documents and settings\Kathleen Rosen\Application Data\Delicious IE Extension
2008-12-30 02:58 --------- d-----w c:\program files\BAE
2008-12-29 22:32 --------- d-----w c:\documents and settings\seth rosen\Application Data\Delicious IE Extension
2008-12-29 22:06 4,288 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-29 04:59 --------- d-----w c:\program files\PC Tools AntiVirus
2008-12-29 03:59 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-29 03:44 --------- d-----w c:\documents and settings\Kathleen Rosen\Application Data\Lavasoft
2008-12-29 02:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 23:10 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2008-12-26 05:26 --------- d-----w c:\program files\Microsoft Works
2008-12-25 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-25 15:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-17 00:51 --------- d-----w c:\program files\Google
2008-12-16 21:49 --------- d-----w c:\program files\Java
2008-12-15 22:03 --------- d-----w c:\program files\Mystery Case Files - Prime Suspects
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-13 03:15 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-12-03 19:35 --------- d-----w c:\program files\The Print Shop 20
2008-11-18 19:31 --------- d-----w c:\program files\RealArcade
2008-11-18 02:51 --------- d-----w c:\program files\Common Files\Apple
2008-11-16 17:58 --------- d-----w c:\documents and settings\Kathleen Rosen\Application Data\Image Zone Express
2008-11-16 17:07 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-19 23:38 2,004 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-02-16 21:19 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-08-18 02:45 88 --sh--r c:\windows\system32\6F9D126C11.sys
2008-09-26 20:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-13 290905]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-16 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.EXE [2006-10-21 335979]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-11 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-10-22 315392]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-12-15 118784]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-06-07 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Amazon\\Amazon Unbox Video\\ADVWindowsClientApp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2006-10-21 347648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-29 c:\windows\Tasks\User_Feed_Synchronization-{7040A39C-030D-46EB-8618-D97094542798}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PCTAVApp - c:\program files\PC Tools AntiVirus\PCTAV.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: {{2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
IE: {{2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
IE: {{2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
hxxp://aolsvc.aol.com/onlinegames/ghbab ... player.cab
c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 22:34:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-29 22:35:54
ComboFix-quarantined-files.txt 2008-12-30 03:35:23

Pre-Run: 56,618,594,304 bytes free
Post-Run: 57,343,344,640 bytes free

240 --- E O F --- 2008-12-18 08:00:56
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 29th, 2008, 11:41 pm

Here's the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:40:12, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269025828
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbab ... player.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 10154 bytes
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby jmw3 » December 30th, 2008, 12:01 pm

Upload Files for Scanning
Go to VirSCAN or VirusTotal
(Just use one or the other. No need to use both.)

If you use VirSCAN click Browse
In the File Upload box that opens navigate to c:\windows\system32\6F9D126C11.sys, & double click on file name
Then click Upload
Wait for scans to finish then copy & paste the results into your next reply

If you use VirusTotal click Browse
In the Choose File box that opens navigate to c:\windows\system32\6F9D126C11.sys, & double click on file name
Then click Send File
Wait for scans to finish then copy & paste the results into your next reply

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
File::
c:\windows\system32\Agent.OMZ.Fix.exe

DirLook::
C:\79a151d8d86cd075c935
c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program
up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 11.
JavaRa
Download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
  • Double-click on JavaRa.exe to start the program
  • From the drop-down menu, choose English and click on Select
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK
  • A logfile will pop up. Save it to a convenient location
  • Click on Additional Tasks then tick Remove Useless JRE Files
  • Click Go then OK when prompted & close the program.
Update Java Runtime
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to Java Runtime Environment (JRE) 6 Update 11 and click on the Download button
  • In the Platform box choose Windows
  • Check the box to Accept License Agreement and click Continue
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop
  • Install the new version by running the downloaded file with the Java icon & follow the on-screen instructions
  • Reboot your computer
To post in next reply:
Results from either VIrSCAN or VirusTotal
Combofix log
New HijackThis log
Let me know how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 30th, 2008, 4:30 pm

Computer seems to be running well with no more fake security pop ups Thanks.

new combo fix log

ComboFix 08-12-29.02 - Kathleen Rosen 2008-12-30 15:20:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.587 [GMT -5:00]
Running from: c:\documents and settings\Kathleen Rosen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kathleen Rosen\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\Agent.OMZ.Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Agent.OMZ.Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-30 15:00 . 2008-12-30 15:06 <DIR> d-------- c:\documents and settings\Kathleen Rosen\.SunDownloadManager
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\documents and settings\seth rosen\Application Data\Malwarebytes
2008-12-30 11:47 . 2008-12-30 11:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 11:47 . 2008-12-30 11:47 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Malwarebytes
2008-12-30 11:47 . 2008-12-30 11:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 11:47 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 11:47 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-29 00:07 . 2008-12-29 00:07 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-29 00:07 . 2008-12-30 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-29 00:07 . 2008-12-30 15:10 4,408,352 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-29 00:07 . 2008-12-30 15:10 696,352 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-29 00:07 . 2008-12-29 00:07 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-29 00:07 . 2008-12-29 00:07 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-29 00:07 . 2008-12-30 15:10 35,520 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-29 00:07 . 2008-12-30 15:10 3,460 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-28 23:09 . 2008-12-28 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-28 16:09 . 2008-12-28 16:09 0 --a------ c:\documents and settings\Kathleen Rosen\Application Data\wklnhst.dat
2008-12-26 11:49 . 2008-12-26 11:49 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 11:09 . 2008-12-26 11:09 <DIR> d-------- C:\VundoFix Backups
2008-12-26 10:48 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-26 10:48 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-26 00:12 . 2008-12-28 22:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-26 00:12 . 2008-12-26 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-25 16:51 . 2008-12-28 22:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 16:51 . 2008-12-28 22:50 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\SUPERAntiSpyware.com
2008-12-25 16:39 . 2008-12-25 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 15:46 . 2008-12-25 15:46 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-25 15:46 . 2008-12-26 00:12 <DIR> d-------- C:\79a151d8d86cd075c935
2008-12-25 11:32 . 2008-12-26 00:12 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-25 01:37 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\dllcache\userinit.exe
2008-12-24 13:57 . 2008-12-24 13:57 <DIR> d-------- c:\program files\Trivial Pursuit Choice
2008-12-24 13:57 . 2008-12-24 13:57 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Hasbro
2008-12-18 17:01 . 2008-12-24 11:11 <DIR> d-------- c:\program files\Mystery Case Files - Return to Ravenhearst
2008-12-16 17:45 . 2008-12-16 17:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2008-12-16 16:49 . 2008-12-16 16:49 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-12 22:21 . 2008-12-12 22:22 <DIR> d-------- c:\documents and settings\seth rosen\Application Data\Move Networks
2008-12-12 22:15 . 2008-12-12 22:15 <DIR> d-------- c:\documents and settings\seth rosen\Application Data\Nikon
2008-12-12 13:26 . 2008-12-12 13:26 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Shape games
2008-12-10 17:34 . 2008-12-10 17:34 <DIR> d-------- c:\program files\bfgclient
2008-12-10 17:33 . 2008-12-20 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-07 08:55 . 2008-12-07 08:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-03 14:26 . 2008-12-03 14:26 <DIR> d-------- c:\program files\New York Times
2008-12-01 09:25 . 2008-12-01 09:25 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\GameHousev1005
2008-11-30 17:07 . 2008-11-30 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Gogii
2008-11-27 04:05 . 2008-12-24 22:29 79,548 --ah----- c:\windows\system32\mlfcache.dat
2008-11-18 19:10 . 2008-11-18 19:10 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\iWin
2008-11-17 21:53 . 2008-11-17 21:53 <DIR> d-------- c:\program files\iTunes
2008-11-17 21:53 . 2008-11-17 21:53 <DIR> d-------- c:\program files\iPod
2008-11-17 21:53 . 2008-11-17 21:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-17 21:51 . 2008-11-17 21:51 <DIR> d-------- c:\program files\QuickTime
2008-11-15 17:09 . 2008-11-15 17:09 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Talkback
2008-11-15 16:52 . 2008-11-15 16:52 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\Eyeblaster
2008-11-12 03:07 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 03:07 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 20:00 . 2008-11-11 20:00 218,376 --a------ c:\windows\system32\klogon.dll
2008-11-11 19:58 . 2008-11-11 19:58 25,601 --a------ c:\windows\system32\drivers\klopp.dat
2008-11-11 13:56 . 2008-12-13 09:04 <DIR> d-------- c:\program files\GameHouse
2008-11-11 13:56 . 2008-12-01 09:25 <DIR> d-------- c:\documents and settings\Kathleen Rosen\Application Data\GameHouse
2008-11-11 13:56 . 2008-11-11 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 20:16 --------- d-----w c:\documents and settings\Kathleen Rosen\Application Data\Delicious IE Extension
2008-12-30 19:57 --------- d-----w c:\program files\Java
2008-12-30 19:30 --------- d-----w c:\documents and settings\seth rosen\Application Data\Delicious IE Extension
2008-12-30 02:58 --------- d-----w c:\program files\BAE
2008-12-29 22:06 4,288 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-29 04:59 --------- d-----w c:\program files\PC Tools AntiVirus
2008-12-29 03:59 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-29 03:44 --------- d-----w c:\documents and settings\Kathleen Rosen\Application Data\Lavasoft
2008-12-29 02:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 23:10 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2008-12-26 05:26 --------- d-----w c:\program files\Microsoft Works
2008-12-25 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-25 15:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-17 00:51 --------- d-----w c:\program files\Google
2008-12-15 22:03 --------- d-----w c:\program files\Mystery Case Files - Prime Suspects
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-13 03:15 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-12-03 19:35 --------- d-----w c:\program files\The Print Shop 20
2008-11-18 19:31 --------- d-----w c:\program files\RealArcade
2008-11-18 02:51 --------- d-----w c:\program files\Common Files\Apple
2008-11-16 17:58 --------- d-----w c:\documents and settings\Kathleen Rosen\Application Data\Image Zone Express
2008-11-16 17:07 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-19 23:38 2,004 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-02-16 21:19 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-08-18 02:45 88 --sh--r c:\windows\system32\6F9D126C11.sys
2008-09-26 20:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\79a151d8d86cd075c935 ----

2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\pt-br\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\nl-nl\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\nl-be\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\ko-kr\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\ja-jp\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\ja-jp-psloc\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\it-it\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\fr-fr\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\fr-ch\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\fr-ca\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\fr-be\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\es-us\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\es-mx\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\es-es\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-sg\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-nz\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-in\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-ie\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-hk\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-gb\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-ca\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\en-au\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\de-de\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\de-ch\
2008-12-26 00:12 0 d-------- c:\79a151d8d86cd075c935\de-at\
2008-11-05 13:54 95744 --a------ c:\79a151d8d86cd075c935\atl80.dll
2008-11-05 13:54 67952 --a------ c:\79a151d8d86cd075c935\ochelpagent.dll
2008-11-05 13:54 626688 --a------ c:\79a151d8d86cd075c935\msvcr80.dll
2008-11-05 13:54 595312 --a------ c:\79a151d8d86cd075c935\winssplatform.dll
2008-11-05 13:54 56176 --a------ c:\79a151d8d86cd075c935\conflictingappmodule.dll
2008-11-05 13:54 548864 --a------ c:\79a151d8d86cd075c935\msvcp80.dll
2008-11-05 13:54 54640 --a------ c:\79a151d8d86cd075c935\cert.dll
2008-11-05 13:54 522 --a------ c:\79a151d8d86cd075c935\microsoft.vc80.crt.manifest
2008-11-05 13:54 5102 --a------ c:\79a151d8d86cd075c935\service.xml
2008-11-05 13:54 456 --a------ c:\79a151d8d86cd075c935\microsoft.vc80.atl.manifest
2008-11-05 13:54 368496 --a------ c:\79a151d8d86cd075c935\ocsetup.exe
2008-11-05 13:54 261488 --a------ c:\79a151d8d86cd075c935\winsscommon.dll
2008-11-05 13:54 122736 --a------ c:\79a151d8d86cd075c935\ocsetupro.dll
2008-11-05 13:54 122578 --a------ c:\79a151d8d86cd075c935\eula.rtf

---- Directory of c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9 ----

2008-12-14 22:23 270 --a------ c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9\profile.ini


((((((((((((((((((((((((((((( snapshot@2008-12-29_22.34.50.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 02:29:57 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 16:12:40 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 02:29:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 16:12:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:11:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-13 290905]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-16 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.EXE [2006-10-21 335979]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-11 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-10-22 315392]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-12-15 118784]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-06-07 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Amazon\\Amazon Unbox Video\\ADVWindowsClientApp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2006-10-21 347648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-30 c:\windows\Tasks\User_Feed_Synchronization-{7040A39C-030D-46EB-8618-D97094542798}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: {{2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
IE: {{2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
IE: {{2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
hxxp://aolsvc.aol.com/onlinegames/ghbab ... player.cab
c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 15:24:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 15:26:05
ComboFix-quarantined-files.txt 2008-12-30 20:25:24

Pre-Run: 57,753,366,528 bytes free
Post-Run: 57,793,073,152 bytes free

280 --- E O F --- 2008-12-18 08:00:56


***NEW HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:24, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\WgaTray.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269025828
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbab ... player.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 10327 bytes
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby jmw3 » December 30th, 2008, 6:49 pm

OK looking good.

A couple of things: The instructions to upload the file- c:\windows\system32\6F9D126C11.sys - to VirSCAN or VirusTotal, was that done? Could you not find that file? If it was done could I see the results please?

I see by your latest Combofix log that it appears you got Malwarebytes' Anti-Malware to install. Did you run it? If so could I see the log please? It can be found by opening Malwarebytes' Anti-Malware the clicking the Logs tab.

ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply

To post in next reply:
Results of VirScan or VirusTotal
Kaspersky Scan log
New HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 31st, 2008, 10:06 am

I couldn't get virus scan or the other to work, so I did the CFScript combo fix option and posted log above.

the mbam log is below. I'm running Kapersky scan and will post that and new Hijack log when it's done (the online Kapersky wouldn't work, possible since I have Kapersky so I am using that to scan)

Thanks for you continued assistance. Everything seems to be running well

--seth


Malwarebytes' Anti-Malware 1.31
Database version: 1577
Windows 5.1.2600 Service Pack 3

12/30/2008 1:57:34 PM
mbam-log-2008-12-30 (13-57-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156624
Time elapsed: 1 hour(s), 51 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » December 31st, 2008, 11:12 am

Here is Kapersky scan (it found something) and then new Hiack log

Full Scan: completed 12/31/2008 10:07:23 (events: 21, objects: 127185, time: 01:15:58)
12/29/2008 01:33:56 Task completed
12/29/2008 01:33:56 Moved to Quarantine: Heur.KillFiles c:\program files\2Wire\sst\VNC\motvnc.exe
12/29/2008 01:33:48 Detected: Heur.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/hs~valert.htm
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/valert_old.htm
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/valert.htm
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/OEMIds.vbs
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/oemcfg.vbs
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/watermark_mys_150x130.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/transpix.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_top_red.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_top.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_bottom_red.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_bottom.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/more_info.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/btn_signup_52x20.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/arrow_right.gif
12/29/2008 01:33:36 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/CmnIds.vbs
12/29/2008 01:18:21 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
12/29/2008 01:15:49 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0_05\bin\java.exe
12/29/2008 01:15:38 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0_02\bin\java.exe
12/29/2008 01:15:28 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0_01\bin\java.exe
12/29/2008 01:15:19 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0\bin\java.exe
12/29/2008 01:15:09 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.5.0_06\bin\javaws.exe
12/29/2008 01:15:09 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.5.0_06\bin\java.exe
12/29/2008 01:14:47 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\bin\pcfpatch
12/29/2008 01:14:47 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\bin\IAMime.dll
12/29/2008 01:14:47 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResRU.dll
12/29/2008 01:14:46 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResJP.dll
12/29/2008 01:14:46 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResIT.dll
12/29/2008 01:14:46 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResFR.dll
12/29/2008 01:14:45 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResES.dll
12/29/2008 01:14:45 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResDE.dll
12/29/2008 01:14:45 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResEn.dll
12/29/2008 01:13:09 Detected: http://www.viruslist.com/en/advisories/26027 c:\program files\EarthLink Setup\Windows\access\program files\EarthLink TotalAccess\Flash.ocx
12/29/2008 01:11:27 Detected: http://www.viruslist.com/en/advisories/26027 c:\program files\Common Files\AOL\Flasha.ocx
12/29/2008 01:10:18 Detected: http://www.viruslist.com/en/advisories/25023 c:\program files\Adobe\Photoshop Elements 5.0\Plug-Ins\File Formats\BMP.8BI
12/29/2008 01:09:17 Detected: http://www.viruslist.com/en/advisories/30832 c:\program files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
12/29/2008 01:09:10 Untreated: Heur.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN Postponed
12/29/2008 01:09:09 Detected: Heur.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN
12/29/2008 01:05:56 Detected: http://www.viruslist.com/en/advisories/31010 c:\i386\javaws.exe
12/29/2008 01:05:56 Detected: http://www.viruslist.com/en/advisories/31010 c:\i386\java.exe
12/29/2008 01:05:38 Detected: http://www.viruslist.com/en/advisories/28083 c:\i386\Flash.ocx
12/29/2008 00:24:07 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
12/29/2008 00:22:27 Task started
Full Scan: completed 12/31/2008 10:07:23 (events: 21, objects: 127185, time: 01:15:58)
12/29/2008 11:06:47 Task completed
12/29/2008 11:05:00 Task started
Full Scan: completed 12/31/2008 10:07:23 (events: 21, objects: 127185, time: 01:15:58)
12/29/2008 11:35:35 Task started
12/29/2008 11:38:03 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
12/29/2008 11:48:19 Detected: HEUR:Trojan.Win32.KillFiles c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP722\A0073461.exe/WISE0011.BIN
12/29/2008 11:48:19 Untreated: HEUR:Trojan.Win32.KillFiles c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP722\A0073461.exe/WISE0011.BIN Postponed
12/29/2008 12:14:27 Detected: http://www.viruslist.com/en/advisories/28083 c:\i386\Flash.ocx
12/29/2008 12:14:49 Detected: http://www.viruslist.com/en/advisories/31010 c:\i386\java.exe
12/29/2008 12:14:49 Detected: http://www.viruslist.com/en/advisories/31010 c:\i386\javaws.exe
12/29/2008 12:18:04 Detected: HEUR:Trojan.Win32.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN
12/29/2008 12:18:04 Untreated: HEUR:Trojan.Win32.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN Postponed
12/29/2008 12:18:27 Detected: http://www.viruslist.com/en/advisories/30832 c:\program files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
12/29/2008 12:19:17 Detected: http://www.viruslist.com/en/advisories/25023 c:\program files\Adobe\Photoshop Elements 5.0\Plug-Ins\File Formats\BMP.8BI
12/29/2008 12:20:22 Detected: http://www.viruslist.com/en/advisories/26027 c:\program files\Common Files\AOL\Flasha.ocx
12/29/2008 12:23:38 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResEn.dll
12/29/2008 12:23:38 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResDE.dll
12/29/2008 12:23:38 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResES.dll
12/29/2008 12:23:38 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResFR.dll
12/29/2008 12:23:38 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResIT.dll
12/29/2008 12:23:39 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResJP.dll
12/29/2008 12:23:39 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResRU.dll
12/29/2008 12:23:39 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\bin\IAMime.dll
12/29/2008 12:23:39 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\bin\pcfpatch
12/29/2008 12:24:02 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.5.0_06\bin\java.exe
12/29/2008 12:24:02 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.5.0_06\bin\javaws.exe
12/29/2008 12:24:10 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0\bin\java.exe
12/29/2008 12:24:19 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0_01\bin\java.exe
12/29/2008 12:24:30 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0_02\bin\java.exe
12/29/2008 12:24:39 Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\jre1.6.0_05\bin\java.exe
12/29/2008 12:27:07 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/CmnIds.vbs
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/arrow_right.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/btn_signup_52x20.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/more_info.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_bottom.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_bottom_red.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_top.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/sidetable_top_red.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/transpix.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/images/watermark_mys_150x130.gif
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/oemcfg.vbs
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/OEMIds.vbs
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/valert.htm
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/valert_old.htm
12/29/2008 12:42:58 Password protected c:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6MNOYE3Y\valert[1].ui/hs~valert.htm
12/29/2008 12:43:09 Detected: HEUR:Trojan.Win32.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN
12/29/2008 12:43:17 Moved to Quarantine: HEUR:Trojan.Win32.KillFiles c:\program files\2Wire\sst\VNC\motvnc.exe
12/29/2008 12:43:19 Detected: HEUR:Trojan.Win32.KillFiles c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP722\A0073461.exe/WISE0011.BIN
12/29/2008 12:43:19 Moved to Quarantine: HEUR:Trojan.Win32.KillFiles c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP722\a0073461.exe
12/29/2008 12:43:19 Task completed
Full Scan: completed 12/31/2008 10:07:23 (events: 21, objects: 127185, time: 01:15:58)
12/31/2008 08:51:25 Task started
12/31/2008 08:53:37 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
12/31/2008 09:00:12 Detected: HEUR:Trojan.Win32.KillFiles c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP722\A0073461.exe/WISE0011.BIN
12/31/2008 09:00:12 Untreated: HEUR:Trojan.Win32.KillFiles c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP722\A0073461.exe/WISE0011.BIN Postponed
12/31/2008 09:36:29 Detected: http://www.viruslist.com/en/advisories/31010 c:\i386\java.exe
12/31/2008 09:36:29 Detected: http://www.viruslist.com/en/advisories/31010 c:\i386\javaws.exe
12/31/2008 09:39:51 Detected: HEUR:Trojan.Win32.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN
12/31/2008 09:39:52 Untreated: HEUR:Trojan.Win32.KillFiles c:\program files\2Wire\sst\VNC\MotVNC.exe/WISE0011.BIN Postponed
12/31/2008 09:40:36 Detected: http://www.viruslist.com/en/advisories/25023 c:\program files\Adobe\Photoshop Elements 5.0\Plug-Ins\File Formats\BMP.8BI
12/31/2008 09:41:42 Detected: http://www.viruslist.com/en/advisories/26027 c:\program files\Common Files\AOL\Flasha.ocx
12/31/2008 09:46:23 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResDE.dll
12/31/2008 09:46:23 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResEn.dll
12/31/2008 09:46:26 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResFR.dll
12/31/2008 09:46:26 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResES.dll
12/31/2008 09:46:26 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResIT.dll
12/31/2008 09:46:26 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResJP.dll
12/31/2008 09:46:26 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\IAResRU.dll
12/31/2008 09:46:26 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\bin\IAMime.dll
12/31/2008 09:46:26 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\bin\pcfpatch
12/31/2008 09:50:32 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
12/31/2008 10:07:23 Task completed





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:56, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269025828
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/ghbab ... player.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 10237 bytes
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby jmw3 » December 31st, 2008, 8:20 pm

sethro wrote:I couldn't get virus scan or the other to work,

What was the problem here? Could you not find the files or was it something else?

sethro wrote:(the online Kapersky wouldn't work, possible since I have Kapersky so I am using that to scan

And here? Your Kaspersky Security Suite should not cause any problems. Did you get any errors messages?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Please help Hijack log posted (this replaces post from 12-26

Unread postby sethro » January 1st, 2009, 8:09 pm

The online kapersky scan opening screen which has the choice of "accept" or "exit" would let me choose accept. First I got an error message saying that I needed to turn off my anti-virus software, which I did and tried again. This time no error message but still could not choose "accept", only "exit"

I did get virus scan to work (I hadn't been able to find the file, so I copied it from your message and then hit upload, which worked. Results below):

Language
English 简体中文 繁體中文 한국어 日本語 Français Deutsch česky Portuguese Brazil Русский українська Nederlands Türkçe ภาษาไทย Polski Español (Latin America)

Server load
Suspicious files to scan
1, You can UPLOAD any files, but there is 10Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 10 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.








Current Position:
Current Scanner:
Last Scanned:
Suspicious degree:

File Name:
File Size:
File Type:
MD5:
SHA1:
Compressed:
Current Position: 0 / (0%)
Elapsed time: 0
Est Time Left: 0
Est Speed: 0


Main Menu
HOME

About VirSCAN

Report

Help VirSCAN

Submit Bugs

Contact us



File information
File Name : 6F9D126C11.sys
File Size : 88 byte
File Type : X11 SNF font data, LSB first
MD5 : 85899cc514f6225c4ffee2094522eba8
SHA1 : 59c8d34ad3488fa3149dc1ca2d7ce0e58842af52
Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2009/01/01 18:59:23 (EST)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.29 20090102023151 2009-01-02 - 2.196
AhnLab V3 2009.01.02.00 2009.01.02 2009-01-02 - 1.026
AntiVir 7.9.0.45 7.1.1.58 2009-01-01 - 1.663
Antiy 2.0.18 20090101.1949426 2009-01-01 - 0.121
Arcavir 1.0.5 200812131407 2008-12-13 - 1.205
Authentium 5.1.1 200901010724 2009-01-01 - 1.156
AVAST! 3.0.1 090101-0 2009-01-01 - 0.002
AVG 7.5.52.442 270.10.2/1871 2009-01-01 - 1.790
BitDefender 7.81008.2404627 7.22917 2009-01-02 - 2.269
CA (VET) 9.0.0.143 31.6.6287 2009-01-01 - 5.237
ClamAV 0.94.2 8825 2009-01-01 - 0.002
Comodo 3.0 859 2009-01-01 - 0.845
CP Secure 1.1.0.715 2009.01.01 2009-01-01 - 6.252
Dr.Web 4.44.0.9170 2009.01.01 2009-01-01 - 3.803
ewido 4.0.0.2 2008.12.31 2008-12-31 - 3.186
F-Prot 4.4.4.56 20090101 2009-01-01 - 1.141
F-Secure 5.51.6100 2009.01.01.03 2009-01-01 - 4.095
Fortinet 2.81-3.117 9.882 2009-01-01 - 0.149
GData 19.2207/19.168 20090101 2009-01-01 - 3.259
Ikarus T3.1.01.45 2009.01.01.72094 2009-01-01 - 3.785
JiangMin 11.0.706 2008.12.21 2008-12-21 - 1.390
Kaspersky 5.5.10 2009.01.01 2009-01-01 - 0.095
KingSoft 2008.9.8.18 2009.1.1.20 2009-01-01 - 0.636
McAfee 5.3.00 5481 2009-01-01 - 2.756
Microsoft 1.4205 2009.01.02 2009-01-02 - 4.516
mks_vir 2.01 2008.12.31 2008-12-31 - 2.674
Norman 5.93.01 5.93.00 2009-01-01 - 5.925
nProtect 20090101.01 2835575 2009-01-01 - 3.741
Panda 9.05.01 2008.12.31 2008-12-31 - 0.554
Quick Heal 10.00 2008.11.17 2008-11-17 - 1.307
Rising 20.0 21.10.22.00 2008-12-31 - 0.299
Sophos 2.82.1 4.37 2009-01-02 - 1.954
Sunbelt 4755 4755 2008-12-22 - 0.429
Symantec 1.3.0.24 20090101.005 2009-01-01 - 0.169
The Hacker 6.3.1.2 v00204 2009-01-01 - 0.503
Trend Micro 8.700-1004 5.742.10 2009-01-01 - 0.020
VBA32 3.12.8.10 20090101.1137 2009-01-01 - 1.401
ViRobot 20081230 2008.12.30 2008-12-30 - 0.430
VirusBuster 4.5.11.10 10.100.12/757515 2009-01-02 - 0.979
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database

Copy to clipboard
About VirSCAN | Privacy policy | Contact us | Help VirSCAN
Translated by Vit Rusych, Ukraine
sethro
Active Member
 
Posts: 13
Joined: December 26th, 2008, 12:46 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 87 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware