Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popups and browser-multipliers making my life miserable

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Popups and browser-multipliers making my life miserable

Unread postby Simon V. » February 10th, 2008, 5:41 am

Hi :)

Please download RenV (by sUBs) to your desktop.

  • Double-click on RenV.exe to run the program.
  • It will search your system drive looking for any modified .exe file and will produce a log (Log.txt) for you.
  • Please attach this report to your reply (Do not copy and paste).
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 10th, 2008, 2:53 pm

I have attached the log from the scan.
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Popups and browser-multipliers making my life miserable

Unread postby Simon V. » February 10th, 2008, 4:13 pm

Hi :)

Step 1

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

Java 2 Runtime Environment, SE v1.4.2_03
MyWay Search Assistant
Viewpoint Media Player
<-- Only remove this program if you haven't installed it yourself.

Then download and install Java Runtime Environment (JRE) 6 Update 4.

Step 2

Drag Log.txt into RenV.exe.

As an example, a screenshot of how to drag a file into another (Do not rename Log.txt to CFScript.txt or drag the file into Combofix.exe, this is merely an example) -

Image

When finished, it will produce a new log for you. Save it to a convenient location.

Step 3

Please download OTMoveIt2.exe by OldTimer and save it to your desktop.

  • Double click on OTMoveIt2.exe to run it.
  • Untick the option to Unregister Dll's and Ocx's.
  • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard.

    Code: Select all
    C:\WINDOWS\system32\rrqss.ini2
    C:\WINDOWS\system32\ssqrr.dll

  • In OTMoveIt right-click on the box labelled Paste Standard List of Files/Folders to Move and click Paste (1).
  • Click on MoveIt! (2).
  • Click on Exit (3).
  • If it asks you to reboot allow that.

Please refer to this picture for using OTMoveIt -

Image

A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers.

Step 4

Copy the text below into a Notepad (Go to Start > Run, type Notepad and hit Enter) document:

Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13472530-E35E-4BBF-A619-24C7E7B5EB1E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e142419f-5615-48bf-b3fa-99644dd6527a}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
"e032b96b"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqronk] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xwvomjea] 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00



Note: Make sure there is no blank line before REGEDIT4 and one blank line at the end.

Go to File > Save As:. Save the file as "<name>.reg" (Including the quotes)

Double-click on <name>.reg. When asked if you want to merge the file with the registry, click Yes.

Step 5

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.

Step 6

In your next reply, please post:

  • the RenV report (log.txt)
  • the Malwarebytes' Anti-Malware log
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 10th, 2008, 5:41 pm

Ok, I followed all the instructions. Malwarebytes found a number of items. Btw, upon bootup my computer gave me two error messages - the first was "Windows cannot find C:\WINDOWS\system32\ssqrr.exe.....
The second error was "Could not load or run C:\WINDOWS\system32\ssqrr.exe specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry." (I guess I have a multi-stage problem huh?)


Here's the RenV report:

Code: Select all
Ran on 2008-02-10 - 15:49:33.42

----a-w           212,992 2008-02-03 23:55:52  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
----a-w           212,992 2008-02-03 23:55:54  C:\Program Files\McAfee.com\Agent\MCUPDA~3 .EXE

 Entries:                4  (4)
 Directories:            0  Files:             4
 Bytes:            851,968  Blocks:        1,664





Here's the Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.03
Database version: 337

Scan type: Quick Scan
Objects scanned: 22139
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ssqrr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b9b29d8-e934-432e-9d20-e1163691ac1d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8b9b29d8-e934-432e-9d20-e1163691ac1d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqrr -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ssqrr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rrqss.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rrqss.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.


Here's a new Hijack-This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30, on 2008-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {696D8C1E-7039-40c8-9C66-07D9D2A2D00D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: {a7256dd4-4699-af3b-fb84-5165f914241e} - {e142419f-5615-48bf-b3fa-99644dd6527a} - C:\WINDOWS\system32\pepoyhgt.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6558 bytes
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Popups and browser-multipliers making my life miserable

Unread postby Simon V. » February 11th, 2008, 12:06 pm

Hi :)

Step 1

As you did before, drag Log.txt into RenV.exe.
When finished, it will produce a new log for you. Save it to a convenient location.

Step 2

Open HijackThis, perform a scan and put a check next to the following items (if present):

F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrr.exe
O2 - BHO: (no name) - {696D8C1E-7039-40c8-9C66-07D9D2A2D00D} - (no file)
O2 - BHO: {a7256dd4-4699-af3b-fb84-5165f914241e} - {e142419f-5615-48bf-b3fa-99644dd6527a} - C:\WINDOWS\system32\pepoyhgt.dll (file missing)


Close all programs except HijackThis and click on Fix checked.

Step 3

Close all programs before continuing, and try not to run anything during the scan.

Please do an online scan with Kaspersky WebScanner. (You will need to use Internet Explorer to run this scan)

On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.

Step 4

In your next reply, please post:

  • the RenV report (Log.txt)
  • the Kaspersky Online Scan report
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 11th, 2008, 12:43 pm

I got to the Kaspersky WebScanner step, at which point I'll have to wait til later today to do it, as I don't have access to the Internet where I work with my personal computer, and one can't download and save the Kaspersky program. I should have the results later today. Thanks.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 12th, 2008, 7:40 am

I'm posting the results here.

I noticed in the output of the Kaspersky scan that it found numerous items under "system volume information" labeled "restore," and those items had skull icons next to them. For some reason, that doesn't imply good things, I'll bet.

New RenV report


Code: Select all
Ran on 2008-02-11 - 11:34:36.43

----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w           212,992 2008-02-03 23:55:54  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE

 Entries:                3  (3)
 Directories:            0  Files:             3
 Bytes:            638,976  Blocks:        1,248



Kaspersky scan


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-12 06:17
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/02/2008
Kaspersky Anti-Virus database records: 558130
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 45232
Number of viruses found: 2
Number of infected objects: 75
Number of suspicious objects: 0
Duration of the scan process: 00:57:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02032008-032802.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Jeff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\MSHist012008021120080212\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeff\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP134\A0017017.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP134\A0017036.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0018046.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP136\A0018135.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP137\A0018186.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP137\A0018226.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP137\A0018243.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP137\A0018264.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP137\A0018292.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP137\A0018316.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP138\A0018373.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP138\A0018388.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP138\A0018406.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP138\A0018462.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP138\A0018522.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP139\A0018577.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP139\A0018587.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP139\A0018607.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP139\A0018675.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP139\A0018737.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP139\A0018792.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0018888.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0018898.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0018917.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0019925.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0020921.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0020986.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0021042.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0021071.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP140\A0021094.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP141\A0021123.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP141\A0021141.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP141\A0021258.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP142\A0021294.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021306.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021330.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021363.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021387.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021424.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021442.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021469.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021490.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0021546.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP143\A0022514.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP144\A0022660.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP144\A0022731.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP144\A0022824.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP145\A0022866.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP145\A0022870.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP145\A0022884.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP145\A0022892.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0022972.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0023019.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0023036.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0023052.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0023181.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0024167.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0024208.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0024218.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP148\A0024233.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024409.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024414.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024415.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024416.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024418.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024419.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024421.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP150\A0024430.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0024611.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0024612.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0024613.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0024614.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0024615.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0024616.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0024622.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP158\A0024859.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP158\A0024913.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP158\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E1D62A2D-41EA-41A6-A5FE-69951C24606C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_6tvasjas4LmO2Tv Object is locked skipped
C:\WINDOWS\Temp\mcafee_QLRqNlr2qRe6gYI Object is locked skipped
C:\WINDOWS\Temp\mcmsc_8YKrensd012p1z2 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_B4tadrbmFAM31sc Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ncy5GC33IgeobyZ Object is locked skipped
C:\WINDOWS\Temp\mcmsc_zY0PIcG5agklcz8 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


New Hijack This log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:19, on 2008-02-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6380 bytes
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Popups and browser-multipliers making my life miserable

Unread postby Simon V. » February 12th, 2008, 12:09 pm

Hi :)

I noticed in the output of the Kaspersky scan that it found numerous items under "system volume information" labeled "restore," and those items had skull icons next to them. For some reason, that doesn't imply good things, I'll bet.

It isn't really a problem; those files are located in the system restore points on your computer, and will be cleaned later on.

There's one (hopefully last) thing I want you to do - the RenV report still doesn't look OK.

Step 1

Delete Log.txt (the log RenV created)

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\mcupdate .exe


Click on File > Save as....

In the File Name box, copy/paste Log.txt (Note: Do not change the filename!)

Click Save (Save Log.txt in the same location as RenV.exe)

Drag Log.txt into RenV.exe.
When finished, it will produce a new log for you. Save it to a convenient location.

Step 2

Please copy and paste the text in the code box into Notepad (Go to Start > Run, type Notepad and hit Enter)

Code: Select all
@echo off

dir /a /s "C:\Program Files\McAfee.com\Agent" > look.txt
notepad look.txt


Go to File > Save As:. Save the file as "Look.bat" (Including the quotes) on your desktop.

Double-click on Look.bat to run the file.

A notepad file will open, and it will be saved as look.txt on your desktop. Please attach that log to your next post - do not copy/paste it. Also post the RenV log.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 12th, 2008, 1:12 pm

Here's the RenV log and the look.txt. Disturbing how these items are sticking to the computer despite all our cleaning efforts. It's clearly something a one-time scan of McAfee couldn't repair.


Code: Select all
Ran on 2008-02-12 - 12:03:46.51

----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w           212,992 2008-02-03 23:55:54  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE

 Entries:                3  (3)
 Directories:            0  Files:             3
 Bytes:            638,976  Blocks:        1,248
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Popups and browser-multipliers making my life miserable

Unread postby Simon V. » February 12th, 2008, 1:30 pm

Pleas try the instructions in my last post in Safe Mode -

Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.

Please reboot into Safe Mode. To do this, go to Start > Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking).

Log in to your usual account.

Post the two logs (attach look.txt) in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 12th, 2008, 2:15 pm

Here are the logs from Safe Mode:

Code: Select all
Ran on 2008-02-12 - 13:01:23.92

----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w           212,992 2008-02-03 23:55:54  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE

 Entries:                3  (3)
 Directories:            0  Files:             3
 Bytes:            638,976  Blocks:        1,248
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Popups and browser-multipliers making my life miserable

Unread postby Simon V. » February 12th, 2008, 4:07 pm

Let's try something else -

Delete you current copy of Combofix.exe and this folder: C:\Combofix\, then download a new version from one of the links below -

Link 1
Link 2
Link 3

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
KillAll::

RenV::

----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w           212,992 2008-02-03 23:55:53  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w           212,992 2008-02-03 23:55:54  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Post it back here in your next reply.

Also, please run Look.bat again and attach the log created.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 12th, 2008, 5:01 pm

I did as you asked, and after I dropped the file onto the new Combofix, it did run a scan and rebooted the machine, but never produced any kind of log file for me to copy. Upon reboot, I get an error popup "'Windows cannot find C:\WINDOWS\systm32\cd:=\Combobatch.bat.' Make sure you typed the name correctly, etc..." I rebooted again after a minute, just to see if I'm going to see that error every time I reboot, but I didn't get it again, though the blue Combofix screen did appear for a few moments, then disappeared.

I'm attaching a new look.txt file here.
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Popups and browser-multipliers making my life miserable

Unread postby Simon V. » February 13th, 2008, 2:24 am

Please repeat the instructions in my previous post; Combofix should have been updated again to address that error.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Popups and browser-multipliers making my life miserable

Unread postby Crunchyhippo » February 13th, 2008, 3:42 pm

I did what you asked prior, and I got the same results; the blue Combofix window came up briefly upon reboot, then disappeared without producing a log. I ran Look.bat again and am attaching its log.
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware