Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trying to fix my son's computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trying to fix my son's computer

Unread postby phoebe » March 6th, 2008, 12:42 am

I'm trying to fix my son's computer. I know he has several trojans. Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:30 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\WmFjaA\command.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\{388EC8F2-06C0-1033-0928-050506220001}\Update.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Documents and Settings\Zach\My Documents\M?crosoft.NET\n?tepad.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Zach\APPLIC~1\CROSOF~1.NET\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Documents and Settings\Zach\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Zach\Application Data\Microsoft\Windows\ibbmjl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://awesomehomepage.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Browse new fork rule] C:\Documents and Settings\All Users\Application Data\Wait Find Browse New\Rect lies.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wbt] "C:\Documents and Settings\Zach\My Documents\M?crosoft.NET\n?tepad.exe" 99001122
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [wait internet] C:\DOCUME~1\Zach\APPLIC~1\BUILDO~1\sixth log.exe
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Zach\APPLIC~1\CROSOF~1.NET\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Zach\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Zach\Application Data\Microsoft\Windows\ibbmjl.exe
O4 - HKCU\..\Policies\Explorer\Run: [{388EC8F2-06C0-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C0-1033-0928-050506220001}\Update.exe" mc-110-12-0000140
O4 - HKCU\..\Policies\Explorer\Run: [{388EC8F2-06C1-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137
O4 - HKCU\..\Policies\Explorer\Run: [{388EC8F2-031E-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-031E-1033-0928-050506220001}\Update.exe" mc-110-12-0000137
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{388EC8F2-06C1-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{388EC8F2-031E-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-031E-1033-0928-050506220001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{388EC8F2-06C1-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137 (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us26/n.cab
O20 - AppInit_DLLs: 67.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\WmFjaA\command.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\fsoxywuiv.html

--
End of file - 10259 bytes
phoebe
Active Member
 
Posts: 10
Joined: March 6th, 2008, 12:10 am
Advertisement
Register to Remove

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 9th, 2008, 10:49 am

Hi,

Welcome to Malware Removal.

I'm researching your log now and will get back to you in a while.

Thank you for your patience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 9th, 2008, 12:50 pm

Hi again,

Some questions before I give instructions to move on.

Your log showed that a backdoor trojan was perhaps on the computer before.

Do you or your son or anyone else use this computer for online banking or other financial services?

Does this computer has any sensitive information and/or documents? Like passwords, important work documents, etc.




Step 1

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer. Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware
Geeks to Go

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 2

  1. Please download and install CCleaner Slim.
  2. Once installed, double click on the desktop shortcut created.
  3. On the leftmost column, click on Tools.
  4. On the middle column, click on Uninstall.
  5. At the bottom right hand corner, click on the Save to text file... button.
  6. By default, it saves this file to C:\Program Files\CCleaner named install.txt. You may want to save it to your desktop to find it easily. Click Save.
  7. Close CCleaner.

Note: Doing this will not uninstall any programs. It will only produce a log of installed programs on your computer.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
  3. CCleaner install.txt file
  4. If the computer has any sensitive information and if anybody uses it to access financial services
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Trying to fix my son's computer

Unread postby phoebe » March 10th, 2008, 11:12 am

Thank you for your reply.

This is my son's computer and he is 17 years old but hasn't used the computer in about a year because it's in such bad shape. So no this computer has never accessed any financial information or online banking. I've tried several things to clean up the computer including running spybot, ccleaner, and I recently bought System Suite 8 professional. Nothing seems to work. I am currently at work and will do your recommendations when I get home later and post the results.
phoebe
Active Member
 
Posts: 10
Joined: March 6th, 2008, 12:10 am

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 10th, 2008, 11:25 am

Thank you for your confirmation. I will wait for your logs then. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Trying to fix my son's computer

Unread postby phoebe » March 10th, 2008, 9:23 pm

Thanks again!

Here is the Combofix log:

ComboFix 08-03-10.1 - Zach 2008-03-10 20:23:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.444 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Zach\Application Data\CROSOF~1.NET
C:\Documents and Settings\Zach\Application Data\CROSOF~1.NET\??crosoft.NET\
C:\Documents and Settings\Zach\Application Data\CROSOF~1.NET\mshta.exe
C:\Documents and Settings\Zach\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Zach\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Zach\Application Data\Install.dat
C:\Documents and Settings\Zach\Application Data\WinTouch
C:\Documents and Settings\Zach\Application Data\WinTouch\fusion.cfg.916b0de11aa3a44b17d0c48816f5055a.07a48ea92d19c55de72f0278023c4e44
C:\Documents and Settings\Zach\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Zach\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Zach\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Zach\install.exe
C:\Documents and Settings\Zach\My Documents\MCROSO~1.NET
C:\Documents and Settings\Zach\My Documents\MCROSO~1.NET\n?tepad.exe
C:\Documents and Settings\Zach\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Zach\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Zach\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\install.exe
C:\Program Files\Common Files\{388EC~1
C:\Program Files\Common Files\{388EC~1\Bar888.dll
C:\Program Files\Common Files\{388EC~1\UnInstall.exe
C:\Program Files\Common Files\{388EC~2
C:\Program Files\Common Files\{388EC~2\Bar888.dll
C:\Program Files\Common Files\{388EC~2\system.dll
C:\Program Files\Common Files\{388EC~2\UnInstall.exe
C:\Program Files\Common Files\{388EC~2\Update.exe
C:\Program Files\Common Files\{388EC~3
C:\Program Files\Common Files\{388EC~3\Bar888.dll
C:\Program Files\Common Files\{388EC~3\system.dll
C:\Program Files\Common Files\{388EC~3\UnInstall.exe
C:\Program Files\deluxecommunications
C:\Program Files\deluxecommunications\Dxc.exe
C:\Program Files\deluxecommunications\DxcBho.dll
C:\Program Files\deluxecommunications\DxcCore.dll
C:\Program Files\deskalerts
C:\Program Files\deskalerts\basis.xml
C:\Program Files\deskalerts\Cache\e832b941f059b5e8b09f048e1f35996c.xml
C:\Program Files\deskalerts\cancel_button.gif
C:\Program Files\deskalerts\deskbar.crc
C:\Program Files\deskalerts\deskbar.dll
C:\Program Files\deskalerts\deskbar.inf
C:\Program Files\deskalerts\history.html
C:\Program Files\deskalerts\hs_delete.bmp
C:\Program Files\deskalerts\hs_search.bmp
C:\Program Files\deskalerts\icons.bmp
C:\Program Files\deskalerts\mbclose.bmp
C:\Program Files\deskalerts\mblogo.bmp
C:\Program Files\deskalerts\newversion.txt
C:\Program Files\deskalerts\notify.wav
C:\Program Files\deskalerts\options.html
C:\Program Files\deskalerts\save_button.gif
C:\Program Files\deskalerts\title_back.gif
C:\Program Files\deskalerts\version.txt
C:\Program Files\inetget2
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\Messenger\fsoxywuiv.html
C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Program Files\winpop
C:\WINDOWS\b104.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\bisekhfu.dll
C:\WINDOWS\system32\bkd.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\2new.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\Delcom.exe
C:\WINDOWS\system32\bund1\mac.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\bund1\Yzz.exe
C:\WINDOWS\system32\bund1\zq.exe
C:\WINDOWS\system32\dyeiywiv.dll
C:\WINDOWS\system32\metahpsn.dll
C:\WINDOWS\system32\nsphatem.ini
C:\WINDOWS\system32\oiieglg.dll
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\ubeflrnf.dll
C:\WINDOWS\system32\wnstscc.exe
C:\WINDOWS\WmFjaA\
C:\WINDOWS\WmFjaA\\asappsrv.dll
C:\WINDOWS\WmFjaA\\command.exe
C:\WINDOWS\WmFjaA\\qAI3uE.vbs
C:\WINDOWS\WmFjaA\command.exe
C:\x.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\Client IP-IPX
-------\cmdService
-------\nm


((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-10 19:56 . 2008-03-10 19:56 43,060 --a------ C:\WINDOWS\hGFdeYYm64pUIdwQ.exe
2008-03-05 22:29 . 2008-03-05 22:29 <DIR> d-------- C:\Program Files\nvcoi
2008-03-04 09:55 . 2008-03-04 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Wait Find Browse New
2008-03-04 09:54 . 2008-03-04 09:54 <DIR> d-------- C:\Program Files\BUILDONLINEMEMO
2008-03-04 09:39 . 2008-03-04 09:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-03-04 09:38 . 2008-03-04 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-04 09:37 . 2008-03-04 09:37 <DIR> dr-hs---- C:\_Backup.RC
2008-03-04 09:37 . 2008-03-10 20:18 <DIR> d--h----- C:\_Backup
2008-03-04 09:31 . 2008-03-04 09:31 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\Avanquest
2008-03-04 09:30 . 2008-03-04 09:30 <DIR> d-------- C:\Program Files\Avanquest
2008-03-04 09:22 . 2008-03-04 09:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-03 21:09 . 2008-03-03 21:06 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-03 21:09 . 2008-03-03 21:09 2,538 --a------ C:\WINDOWS\unins000.dat
2008-03-03 19:09 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-03 18:41 . 2008-03-03 18:41 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-03-03 18:30 . 2008-03-03 18:30 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 04:05 --------- d-----w C:\Program Files\Trend Micro
2008-03-06 01:33 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-06 01:31 --------- d-----w C:\Program Files\Coding Workshop Ringtone Converter
2008-03-05 14:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 14:09 --------- d-----w C:\Program Files\Windows TaskAd
2008-03-04 13:55 --------- d-----w C:\Documents and Settings\Zach\Application Data\BUILDONLINEMEMO
2008-03-04 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 01:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-31 18:15 29,600 ----a-w C:\WINDOWS\system32\mxntdfg.exe
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-08-30 03:25 25,214 ----a-w C:\Program Files\B.ico
2007-08-30 03:25 25,214 ----a-w C:\Program Files\A.ico
2007-08-30 03:25 217,707 ----a-w C:\Program Files\b.zip
2007-08-30 03:25 201,628 ----a-w C:\Program Files\a.zip
2007-08-28 14:48 209 ----a-w C:\Documents and Settings\Zach\7999.bat
2007-08-28 14:46 32,768 ----a-w C:\Documents and Settings\Zach\setup9x.exe
2007-08-27 15:34 209 ----a-w C:\Documents and Settings\Zach\7212.bat
2007-08-27 15:33 46,464 ----a-w C:\Documents and Settings\Zach\app.exe
2007-06-01 00:34 167 ----a-w C:\Documents and Settings\Zach\9322.bat
2007-05-30 02:52 167 ----a-w C:\Documents and Settings\Zach\8543.bat
2007-05-29 23:15 167 ----a-w C:\Documents and Settings\Zach\7485.bat
2007-05-29 23:11 218,607 ----a-w C:\Program Files\c.zip
2007-04-17 01:00 167 ----a-w C:\Documents and Settings\Zach\9624.bat
2007-04-17 00:50 167 ----a-w C:\Documents and Settings\Zach\8343.bat
2007-04-06 02:40 167 ----a-w C:\Documents and Settings\Zach\7030.bat
2007-04-01 16:59 167 ----a-w C:\Documents and Settings\Zach\2862.bat
2007-03-27 02:27 114 ----a-w C:\Documents and Settings\Zach\hhjj.bat
2007-03-18 03:03 201 ----a-w C:\Documents and Settings\Zach\q.bat
2007-03-05 02:32 63 ----a-w C:\Documents and Settings\Zach\yyd.bat
2006-12-15 16:26 56 --sh--r C:\WINDOWS\system32\6BBBA92CDF.sys
2006-12-15 16:26 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFEBC9CE-F8B2-4EF8-86ED-374376EEECD1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB103367-1C75-4AE2-B7A0-2296236DE6D1}]
2007-03-17 21:47 70144 --a------ C:\Program Files\Messenger\bapujoc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Wbt"="C:\Documents and Settings\Zach\My Documents\M?crosoft.NET\n?tepad.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 11:23 68856]
"wait internet"="C:\DOCUME~1\Zach\APPLIC~1\BUILDO~1\sixth log.exe" [2008-03-04 09:54 445952]
"Uaol"="C:\DOCUME~1\Zach\APPLIC~1\CROSOF~1.NET\mshta.exe" [ ]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-05 22:29 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 19:24 684032]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 18:30 823362]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06 106496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-20 03:19 185896]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe" [2008-02-01 04:05 173312]
"Browse new fork rule"="C:\Documents and Settings\All Users\Application Data\Wait Find Browse New\Rect lies.exe" [2008-03-10 20:47 2928640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-01-12 10:32 128648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-28 13:17:11 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{388EC8F2-06C0-1033-0928-050506220001}"= "C:\Program Files\Common Files\{388EC8F2-06C0-1033-0928-050506220001}\Update.exe" mc-110-12-0000140
"{388EC8F2-06C1-1033-0928-050506220001}"= "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137
"{388EC8F2-031E-1033-0928-050506220001}"= "C:\Program Files\Common Files\{388EC8F2-031E-1033-0928-050506220001}\Update.exe" mc-110-12-0000137

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"{388EC8F2-06C1-1033-0928-050506220001}"= "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137
"{388EC8F2-06C0-1033-0928-050506220001}"= "C:\Program Files\Common Files\{388EC8F2-06C0-1033-0928-050506220001}\Update.exe" mc-110-12-0000137
"{388EC8F2-031E-1033-0928-050506220001}"= "C:\Program Files\Common Files\{388EC8F2-031E-1033-0928-050506220001}\Update.exe" mc-110-12-0000140

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghih]
mljghih.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqqom]
rqrqqom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=67.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 18:33 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 23:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 16:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 21:20 8192 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
C:\DOCUME~1\Zach\APPLIC~1\CROSOF~1.NET\mshta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wait internet]
--a------ 2008-03-04 09:54 445952 C:\DOCUME~1\Zach\APPLIC~1\BUILDO~1\sixth log.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 KFilter;KFilter;C:\PROGRA~1\AVANQU~1\SYSTEM~1\KFilter.sys [2008-01-31 14:11]
R3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\SYSTEM~1\MailScan.sys [2008-02-01 04:05]
R3 TFilter;TFilter;C:\PROGRA~1\AVANQU~1\SYSTEM~1\TFilter.sys [2008-01-31 12:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - MAILSCAN
.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 00:00:01 C:\WINDOWS\Tasks\AEF1781F918EE8CB.job"
- c:\docume~1\zach\applic~1\buildo~1\Gram help bleh.exe
"2008-03-05 21:03:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 20:45:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-10 20:49:02 - machine was rebooted [Zach]
ComboFix-quarantined-files.txt 2008-03-11 00:48:58
.
2008-03-04 05:43:48 --- E O F ---

Here is the CCleaner Install.txt

Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
ALPS Touch Pad Driver
AOLIcon
Apple Software Update
ATI Control Panel
ATI Display Driver
Broadcom Management Programs 2
CCleaner (remove only)
CiD Help
Conexant D110 MDC V.9x Modem
CopySafe Plugin
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.1
Dell System Restore
Digital Content Portal
Digital Line Detect
EducateU
ESPNMotion
GemMaster Mystic
Google Toolbar for Internet Explorer
GTR 2 Demo
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Intel(R) PROSet/Wireless Software
InterActual Player
Internal Network Card Power Management
Internet Explorer Default Page
iPod for Windows 2005-02-07
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Macromedia Flash Player 8
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office 2000 Premium
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Mp3Decode
mPfMgr
mPfWiz
mProSafe
MSN Music Assistant
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mToolkit
Musicmatch® Jukebox
mWlsSafe
mXML
mZConfig
NetWaiting
NoDNS
nvcoi
Power Tab Editor 1.7
PowerDVD 5.5
Qualxserve Service Agreement
QuickBooks
QuickBooks Simple Start Special Edition
QuickSet
QuickTime
RealPlayer
Sanyo USB Driver
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic Copy Module
Sonic DLA
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SystemSuite 8 Professional
Teach Me Guitar v1.03
The Sims 2
TMASOEDL
TMASOLDL
Tony Hawks Pro Skater 4 Demo
Trend Micro PC-cillin Internet Security 12
TriJinx
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Weather Maker RX Demo
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892627
Windows XP Hotfix - KB893056
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB908250
WinRAR archiver
Win-Touch.com
WordPerfect Office 12
Yahoo! Anti-Spy
Yahoo! Toolbar


Here is a new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:32 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://awesomehomepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BFEBC9CE-F8B2-4EF8-86ED-374376EEECD1} - \
O2 - BHO: 0 - {DB103367-1C75-4AE2-B7A0-2296236DE6D1} - C:\Program Files\Messenger\bapujoc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Browse new fork rule] C:\Documents and Settings\All Users\Application Data\Wait Find Browse New\Rect lies.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wbt] "C:\Documents and Settings\Zach\My Documents\M?crosoft.NET\n?tepad.exe" 99001122
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [wait internet] C:\DOCUME~1\Zach\APPLIC~1\BUILDO~1\sixth log.exe
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Zach\APPLIC~1\CROSOF~1.NET\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Policies\Explorer\Run: [{388EC8F2-06C0-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C0-1033-0928-050506220001}\Update.exe" mc-110-12-0000140
O4 - HKCU\..\Policies\Explorer\Run: [{388EC8F2-06C1-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137
O4 - HKCU\..\Policies\Explorer\Run: [{388EC8F2-031E-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-031E-1033-0928-050506220001}\Update.exe" mc-110-12-0000137
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{388EC8F2-06C1-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{388EC8F2-031E-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-031E-1033-0928-050506220001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{388EC8F2-06C1-1033-0928-050506220001}] "C:\Program Files\Common Files\{388EC8F2-06C1-1033-0928-050506220001}\Update.exe" mc-110-12-0000137 (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us26/n.cab
O20 - AppInit_DLLs: 67.dll
O20 - Winlogon Notify: mljghih - mljghih.dll (file missing)
O20 - Winlogon Notify: rqrqqom - rqrqqom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10145 bytes
phoebe
Active Member
 
Posts: 10
Joined: March 6th, 2008, 12:10 am

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 11th, 2008, 6:20 am

Hi,

Step 1

Please go to Virus Total or Jotti and upload C:\WINDOWS\system32\mxntdfg.exe for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\system32\mxntdfg.exe in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste C:\WINDOWS\system32\mxntdfg.exe in the text box next to the Browse button.
  2. Click on Submit.

Step 2

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
@echo off
echo Working...
for /L %%a in (2000,1,9999) do (
if exist "C:\Documents and Settings\Zach\%%a.bat" (
echo. >> C:\results.txt
echo Contents of %%a.bat >> C:\results.txt
echo. >> C:\results.txt
type "C:\Documents and Settings\Zach\%%a.bat" >> C:\results.txt
echo. >> C:\results.txt
)
)
echo. >> C:\results.txt
echo Contents of hhjj.bat >> C:\results.txt
echo. >> C:\results.txt
type "C:\Documents and Settings\Zach\hhjj.bat" >> C:\results.txt
echo. >> C:\results.txt
echo Contents of q.bat >> C:\results.txt
echo. >> C:\results.txt
type "C:\Documents and Settings\Zach\q.bat" >> C:\results.txt
echo. >> C:\results.txt
echo Contents of yydd.bat >> C:\results.txt
echo. >> C:\results.txt
type "C:\Documents and Settings\Zach\yyd.bat" >> C:\results.txt
start notepad C:\results.txt


Click on File > Save As....

In the File Name box, copy and paste in check.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on check.bat to run it. Command Prompt will open and close quickly; this is normal. Notepad will open shortly afterwards. Please post the contents of this Notepad file in your next reply.

Step 3

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. You are using Windows XP Professional Service Pack 2 (SP2).

Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not restart or shut down your machine until we have reviewed the log.

In your next reply, please post:

  1. Virus Total or Jotti's scan results of the file
  2. Contents of Notepad file that opens from Step 2 (C:\results.txt)
  3. Combofix CF_RC.txt file
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Trying to fix my son's computer

Unread postby phoebe » March 11th, 2008, 8:57 pm

Thanks!

Here are the logs you requested:

Virus Total

File mxntdfg.exe_ received on 03.12.2008 01:19:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 13.
Estimated start time is between 80 and 115 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.12.0 2008.03.11 -
AntiVir 7.6.0.73 2008.03.11 -
Authentium 4.93.8 2008.03.11 -
Avast 4.7.1098.0 2008.03.11 -
AVG 7.5.0.516 2008.03.11 -
BitDefender 7.2 2008.03.12 -
CAT-QuickHeal 9.50 2008.03.10 -
ClamAV 0.92.1 2008.03.11 -
DrWeb 4.44.0.09170 2008.03.11 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5607 2008.03.11 -
Ewido 4.0 2008.03.11 -
FileAdvisor 1 2008.03.12 -
Fortinet 3.14.0.0 2008.03.11 -
F-Prot 4.4.2.54 2008.03.11 -
F-Secure 6.70.13260.0 2008.03.11 -
Ikarus T3.1.1.20 2008.03.11 -
Kaspersky 7.0.0.125 2008.03.12 -
McAfee 5249 2008.03.11 -
Microsoft 1.3301 2008.03.12 -
NOD32v2 2938 2008.03.11 -
Norman 5.80.02 2008.03.11 -
Panda 9.0.0.4 2008.03.12 -
Prevx1 V2 2008.03.12 -
Rising 20.35.12.00 2008.03.11 -
Sophos 4.27.0 2008.03.12 -
Sunbelt 3.0.930.0 2008.03.05 -
TheHacker 6.2.92.241 2008.03.11 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.11 -
Webwasher-Gateway 6.6.2 2008.03.11 -
Additional information
File size: 29600 bytes
MD5: 759d158c6a9e67cf83d3ca67b461427d
SHA1: afb684eaa753b67923dffd5e35f5496f19d54bc8
PEiD: -


Results from step 2:

Contents of 2862.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 2862.bat


Contents of 7030.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 7030.bat


Contents of 7212.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:T
Del rev.exe
If Exist rev.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 7212.bat


Contents of 7485.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 7485.bat


Contents of 7999.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:T
Del rev.exe
If Exist rev.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 7999.bat


Contents of 8343.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 8343.bat


Contents of 8543.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 8543.bat


Contents of 9322.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 9322.bat


Contents of 9624.bat

@Echo off
:S
Del app.exe
If Exist app.exe Goto S
:T
Del install.exe
If Exist install.exe Goto T
:D
Del setup9x.exe
If Exist setup9x.exe Goto D
Del 9624.bat


Contents of hhjj.bat

@Echo off
:H
Del install.exe
If Exist install.exe Goto H
Del *.exe
del c:\*.exe
del d:\*.exe
del hhjj.bat

Contents of q.bat

@Echo off
:A
Del setup9x.exe
If Exist setup9x.exe Goto A
:B
Del app.exe
If Exist app.exe Goto B
:C
Del setup9x.exe
If Exist setup9x.exe Goto C
Del *.exe
del c:\*.exe
del d:\*.exe
del q.bat
Contents of yydd.bat

@Echo off
Del *.exe
del c:\*.exe
del d:\*.exe
del yyd.bat

Combofix CF_RC.txt file:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
phoebe
Active Member
 
Posts: 10
Joined: March 6th, 2008, 12:10 am

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 12th, 2008, 10:54 am

Hi,

Please restart your computer. After that, please do the following:

Step 1

  1. Click on Start > Control Panel. Double click on Add/Remove Programs.
  2. Locate CiD Help and click on Change/Remove to uninstall it.
  3. Repeat for these programs:
      NoDNS
      nvcoi
      Win-Touch.com
  4. Close Add/Remove Programs and Control Panel. Restart your computer. This is important!

Step 2

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?f=11&t=28505

Collect::
C:\WINDOWS\hGFdeYYm64pUIdwQ.exe

Folder::
C:\Documents and Settings\All Users\Application Data\Wait Find Browse New
C:\Program Files\Windows TaskAd
C:\Program Files\nvcoi

DirLook::
C:\Documents and Settings\Zach\Application Data\BUILDONLINEMEMO

Suspect::
C:\WINDOWS\system32\mxntdfg.exe
C:\Program Files\b.zip
C:\Program Files\a.zip
C:\Program Files\c.zip

File::
C:\Documents and Settings\Zach\7999.bat
C:\Documents and Settings\Zach\setup9x.exe
C:\Documents and Settings\Zach\7212.bat
C:\Documents and Settings\Zach\app.exe
C:\Documents and Settings\Zach\9322.bat
C:\Documents and Settings\Zach\8543.bat
C:\Documents and Settings\Zach\7485.bat
C:\Documents and Settings\Zach\9624.bat
C:\Documents and Settings\Zach\8343.bat
C:\Documents and Settings\Zach\7030.bat
C:\Documents and Settings\Zach\2862.bat
C:\Documents and Settings\Zach\hhjj.bat
C:\Documents and Settings\Zach\q.bat
C:\Documents and Settings\Zach\yyd.bat
C:\WINDOWS\system32\6BBBA92CDF.sys
C:\Program Files\Messenger\bapujoc.dll
C:\WINDOWS\Tasks\AEF1781F918EE8CB.job

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFEBC9CE-F8B2-4EF8-86ED-374376EEECD1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB103367-1C75-4AE2-B7A0-2296236DE6D1}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wbt"=-
"wait internet"=-
"Uaol"=-
"nvcoi"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Browse new fork rule"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{388EC8F2-06C0-1033-0928-050506220001}"=-
"{388EC8F2-06C1-1033-0928-050506220001}"=-
"{388EC8F2-031E-1033-0928-050506220001}"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"{388EC8F2-06C1-1033-0928-050506220001}"=-
"{388EC8F2-06C0-1033-0928-050506220001}"=-
"{388EC8F2-031E-1033-0928-050506220001}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghih]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqqom]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wait internet]


Warning: The above script is just for phoebe. Do not use this script if you are not phoebe. This may cause damage to your operating system if you do so.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. When done, a log will be produced. Please post this log in your reply.

In addition, Combofix will prompt to submit some files for analysis. Click OK.

Image

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

Image

Click on Send File.

In your next reply, please post:

  1. Combofix log
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Trying to fix my son's computer

Unread postby phoebe » March 12th, 2008, 10:22 pm

Thanks! I did all the steps you told me to. However I got to the part where Combofix says it has to submit files for further analysis. I was connected to the internet but never got a box in which to submit the file. I didn't want to run combofix again as I didn't know what it would do if I ran it a second time. Here are the 2 log files you requested:

Combofix Log:

ComboFix 08-03-10.1 - Zach 2008-03-12 21:57:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.513 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zach\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Zach\2862.bat
C:\Documents and Settings\Zach\7030.bat
C:\Documents and Settings\Zach\7212.bat
C:\Documents and Settings\Zach\7485.bat
C:\Documents and Settings\Zach\7999.bat
C:\Documents and Settings\Zach\8343.bat
C:\Documents and Settings\Zach\8543.bat
C:\Documents and Settings\Zach\9322.bat
C:\Documents and Settings\Zach\9624.bat
C:\Documents and Settings\Zach\app.exe
C:\Documents and Settings\Zach\hhjj.bat
C:\Documents and Settings\Zach\q.bat
C:\Documents and Settings\Zach\setup9x.exe
C:\Documents and Settings\Zach\yyd.bat
C:\Program Files\Messenger\bapujoc.dll
C:\WINDOWS\system32\6BBBA92CDF.sys
C:\WINDOWS\Tasks\AEF1781F918EE8CB.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Wait Find Browse New
C:\Documents and Settings\Zach\2862.bat
C:\Documents and Settings\Zach\7030.bat
C:\Documents and Settings\Zach\7212.bat
C:\Documents and Settings\Zach\7485.bat
C:\Documents and Settings\Zach\7999.bat
C:\Documents and Settings\Zach\8343.bat
C:\Documents and Settings\Zach\8543.bat
C:\Documents and Settings\Zach\9322.bat
C:\Documents and Settings\Zach\9624.bat
C:\Documents and Settings\Zach\app.exe
C:\Documents and Settings\Zach\hhjj.bat
C:\Documents and Settings\Zach\q.bat
C:\Documents and Settings\Zach\setup9x.exe
C:\Documents and Settings\Zach\yyd.bat
C:\Program Files\Messenger\bapujoc.dll
C:\Program Files\Messenger\fsoxywuiv.html
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Windows TaskAd
C:\WINDOWS\system32\6BBBA92CDF.sys

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-04 09:39 . 2008-03-04 09:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-03-04 09:38 . 2008-03-04 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-04 09:37 . 2008-03-04 09:37 <DIR> dr-hs---- C:\_Backup.RC
2008-03-04 09:37 . 2008-03-10 20:18 <DIR> d--h----- C:\_Backup
2008-03-04 09:31 . 2008-03-04 09:31 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\Avanquest
2008-03-04 09:30 . 2008-03-04 09:30 <DIR> d-------- C:\Program Files\Avanquest
2008-03-04 09:22 . 2008-03-04 09:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-03 21:09 . 2008-03-03 21:06 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-03 21:09 . 2008-03-03 21:09 2,538 --a------ C:\WINDOWS\unins000.dat
2008-03-03 19:09 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-03 18:41 . 2008-03-03 18:41 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-03-03 18:30 . 2008-03-03 18:30 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 04:05 --------- d-----w C:\Program Files\Trend Micro
2008-03-06 01:33 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-06 01:31 --------- d-----w C:\Program Files\Coding Workshop Ringtone Converter
2008-03-05 14:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 01:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-31 18:15 29,600 ----a-w C:\WINDOWS\system32\mxntdfg.exe
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-08-30 03:25 25,214 ----a-w C:\Program Files\B.ico
2007-08-30 03:25 25,214 ----a-w C:\Program Files\A.ico
2007-08-30 03:25 217,707 ----a-w C:\Program Files\b.zip
2007-08-30 03:25 201,628 ----a-w C:\Program Files\a.zip
2007-05-29 23:11 218,607 ----a-w C:\Program Files\c.zip
2006-12-15 16:26 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Zach\Application Data\BUILDONLINEMEMO ----

C:\Documents and Settings\Zach\Application Data\BUILDONLINEMEMO\


((((((((((((((((((((((((((((( snapshot@2008-03-10_20.48.45.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-04 20:09:48 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 11:23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 19:24 684032]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 18:30 823362]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06 106496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-20 03:19 185896]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe" [2008-02-01 04:05 173312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-01-12 10:32 128648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-28 13:17:11 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 18:33 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 23:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 16:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 21:20 8192 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 KFilter;KFilter;C:\PROGRA~1\AVANQU~1\SYSTEM~1\KFilter.sys [2008-01-31 14:11]
R3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\SYSTEM~1\MailScan.sys [2008-02-01 04:05]
R3 TFilter;TFilter;C:\PROGRA~1\AVANQU~1\SYSTEM~1\TFilter.sys [2008-01-31 12:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 20:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 22:02:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-12 22:06:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-13 02:05:58
ComboFix2.txt 2008-03-11 00:49:03
.
2008-03-12 07:01:56 --- E O F ---


HiJackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:03 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://awesomehomepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us26/n.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8249 bytes
phoebe
Active Member
 
Posts: 10
Joined: March 6th, 2008, 12:10 am

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 13th, 2008, 1:30 am

Hi,

You can submit the file to this link - http://www.bleepingcomputer.com/submit- ... ?channel=4

In the Link to your topic, copy and paste this in: http://malwareremoval.com/forum/viewtopic.php?f=11&t=28505

  1. Download deljob.exe and save it to your desktop.
  2. Double click on Deljob.exe.
  3. A log, (logit.txt) will open afterwards. If it doesn't, please locate this log on your C drive.
  4. Please post the contents of the logfile in your next reply together with a new HijackThis log.

In your next reply, please post:

  1. Deljob report (C:\logit.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Trying to fix my son's computer

Unread postby phoebe » March 13th, 2008, 7:19 pm

Hi! I posted the file to bleepingcomputer.com. Here are the logs you requested:

Logit.txt

--------------------------------------------------------
No LOP job-files found
--------------------------------------------------------
Files in Windows Tasks folder

AppleSoftwareUpdate.job
--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 388E-C8F2

Directory of C:\Documents and Settings\Zach\Application Data

03/12/2008 09:46 PM <DIR> .
03/12/2008 09:46 PM <DIR> ..
02/06/2006 03:00 PM <DIR> Adobe
09/21/2006 12:10 AM <DIR> AdobeUM
12/25/2005 10:38 AM <DIR> APPLEC~1 Apple Computer
03/04/2008 09:31 AM <DIR> AVANQU~1 Avanquest
12/09/2006 11:36 PM <DIR> CALIBR~1 Calibre Software Solutions
12/05/2005 10:14 PM <DIR> Corel
12/12/2005 11:32 PM <DIR> CORELP~1 Corel Photo Album
01/23/2006 09:56 PM <DIR> CYBERL~1 CyberLink
12/06/2006 06:32 PM <DIR> Google
11/28/2005 01:26 PM <DIR> Gtek
01/17/2006 08:40 PM <DIR> Help
08/16/2005 06:50 AM <DIR> IDENTI~1 Identities
11/28/2005 01:14 PM <DIR> Intel
12/05/2005 10:20 PM <DIR> LEADER~1 Leadertech
02/06/2006 06:56 PM <DIR> LIONHE~1 Lionhead Studios
12/05/2005 09:31 PM <DIR> MACROM~1 Macromedia
12/22/2006 12:38 AM <DIR> MICROS~1 Microsoft
12/12/2005 11:17 PM <DIR> MICROS~2 Microsoft Web Folders
01/21/2006 11:28 AM <DIR> NETMED~1 NetMedia Providers
02/17/2006 09:24 PM <DIR> PLAYFI~1 PlayFirst
01/21/2006 11:28 AM <DIR> PUBLIS~1 Publish Providers
03/01/2007 04:52 PM <DIR> Real
12/05/2005 10:22 PM <DIR> Sonic
01/21/2006 11:28 AM <DIR> SONICF~1 Sonic Foundry
08/01/2006 08:00 PM <DIR> Sony
11/28/2005 01:12 PM <DIR> Sun
01/20/2007 02:54 AM <DIR> ZANGOT~1 ZangoToolbar
0 File(s) 0 bytes
29 Dir(s) 25,417,932,800 bytes free
Volume in drive C has no label.
Volume Serial Number is 388E-C8F2

Directory of C:\Documents and Settings\All Users\Application Data

03/12/2008 09:58 PM <DIR> .
03/12/2008 09:58 PM <DIR> ..
11/28/2005 01:17 PM <DIR> Adobe
12/26/2005 11:08 PM <DIR> AOL
12/26/2005 11:20 PM <DIR> AOLDOW~1 AOL Downloads
12/10/2006 01:39 PM <DIR> APPLEC~1 Apple Computer
03/04/2008 09:38 AM <DIR> BVRPSO~1 BVRP Software
08/16/2005 10:54 PM <DIR> DIGSTR~1 DIGStream
12/29/2005 09:10 PM <DIR> DNGH2S~1 DNGH2 Saves
12/06/2006 06:30 PM <DIR> Google
11/28/2005 01:26 PM <DIR> GTek
11/28/2005 01:24 PM <DIR> INSTAL~1 InstallShield
11/28/2005 01:13 PM <DIR> Intel
11/28/2005 01:22 PM <DIR> Intuit
12/05/2005 10:22 PM <DIR> MICROS~1 Microsoft
02/17/2006 09:23 PM <DIR> PLAYFI~1 PlayFirst
12/26/2005 10:46 PM <DIR> QUICKT~1 QuickTime
08/01/2006 08:00 PM <DIR> Sony
03/03/2008 09:15 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
12/08/2006 12:27 AM <DIR> Trymedia
11/28/2005 01:21 PM <DIR> VIEWPO~1 Viewpoint
07/05/2006 07:51 PM <DIR> WINDOW~2 Windows Genuine Advantage
04/25/2006 01:18 PM <DIR> YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
23 Dir(s) 25,417,932,800 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
Administrator
All Users
Zach
--------------------------------------------------------

HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:52 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://awesomehomepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us26/n.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8215 bytes
phoebe
Active Member
 
Posts: 10
Joined: March 6th, 2008, 12:10 am

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 14th, 2008, 7:17 am

Hi,

Step 1

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.

Please delete this folder.

C:\Documents and Settings\Zach\Application Data\ZangoToolbar

Step 2

Please open HijackThis and select Do a system scan only.

Put a check (tick) next to this line:

    O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)

Click Fix checked. Close HijackThis.

Step 3

  1. Click on Start > All Programs > CCleaner > CCleaner.
  2. On the Windows tab, leave the default options alone.
  3. On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  4. Click on the Run Cleaner button at the bottom right hand corner.
  5. Close CCleaner.

Step 4

  1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  2. Double click on mbam-setup.exe to install it.
  3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  6. Leave the default options as it is and click on Start Scan.
  7. When done, you will be prompted. Click OK, then click on Show Results.
  8. Checked (ticked) all items and click on Remove Selected.
  9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

In your next reply, please post:

  1. Malwarebytes' Anti-Malware scan report
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Trying to fix my son's computer

Unread postby phoebe » March 14th, 2008, 8:58 pm

Thanks again!! Here's the logs you requested:

Malwarebytes log:

Malwarebytes' Anti-Malware 1.08
Database version: 493

Scan type: Full Scan (C:\|)
Objects scanned: 94003
Time elapsed: 30 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{0ebacaf2-e0f9-47a9-98cf-0ecce30b654c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\ZangoToolbar 4.8.3 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Zach\Application Data\Microsoft\Windows\ibbmjl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\wukf\wukfd\class-barrel (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\wukf\wukfd\wukfc.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Zach\Application Data\CROSOF~1.NET\mshta.exe.vir (Trojan.PurtiScan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Zach\Application Data\WinTouch\WTUninstaller.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\WmFjaA\asappsrv.dll.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\WmFjaA\command.exe.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386695.dll (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386696.exe (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386697.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386733.dll (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386734.exe (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386735.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386738.dll (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386739.exe (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386740.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386745.dll (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386746.exe (Trojan.Rond) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386747.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386974.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0386976.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0387404.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP255\A0387519.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP255\A0387520.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP255\A0387522.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP258\A0389285.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP258\A0389288.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP258\A0389295.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP258\A0389297.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP258\A0389298.exe (Trojan.PurtiScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP258\A0389310.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\WINDOWS\retadpu1000137.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\n.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.

HiJackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:46 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://awesomehomepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us26/n.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8137 bytes
phoebe
Active Member
 
Posts: 10
Joined: March 6th, 2008, 12:10 am

Re: Trying to fix my son's computer

Unread postby ndmmxiaomayi » March 15th, 2008, 7:07 am

Hi,

Please go to Kaspersky website and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
  3. When the downloads have finished, click on Next button.
  4. Click on Scan Settings button.
  5. Select extended under Scan using the following antivirus database:
  6. Check (tick) these boxes under Scan options:
    • Scan Archives
    • Scan Mail Bases
  7. Click OK
  8. Click on My Computer under Please select a target to scan:
  9. Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
  10. Copy and paste this log in your next reply.

In your next reply, please post:

  1. Kaspersky Antivirus scan report
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware