Jump to content
Sign in to follow this  
charuhans

Help! Virus/Adware Attack

Recommended Posts

Since the past few days my search links from Google randomly redirect me to some different sites when clicked. I did a complete scan with the Windows OneCare yesterday but it didn't find anything. All the icons on the taskbar had disappeared too. Today, when I started the PC, the Windows OneCare flashed a prompt that a Torjan was detected and it needs to be removed. On clicking remove it would process and say removed but the warning prompt would keep popping up and it kept on going. Finally, I located the rouge file in the windows folder and deleted it but it kept making copies. Eventually, I was able to delete all the copies and then OneCare prompted me to restart the PC and everything seemed fine. But I am not sure about that. The following is the log from the HJT scan. I will appreciate it if someone can analyze it and advise me on further action.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:34:46 PM, on 4/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\PROGRA~1\Discover\SOAN\SOAN.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Brownie\brpjp04a.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

http://qwest.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://yahoomail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

 

= http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

 

http://www.dell.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

 

Windows Internet Explorer provided by Qwest

O2 - BHO: Adobe PDF Reader Link Helper -

 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

 

7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) -

 

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program

 

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

 

C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper -

 

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft

 

Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no

 

file)

O2 - BHO: Discover deskshop Browser Helper Object -

 

{8DB3D69D-DA5E-4165-B781-72A761790672} -

 

C:\WINDOWS\system32\BhoDshop.dll

O2 - BHO: Windows Live Sign-in Helper -

 

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

 

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper -

 

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live

 

Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar -

 

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live

 

Toolbar\msntb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media

 

Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [QuickCare2.2] C:\Program

 

Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows

 

OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe

 

Autorun

O4 - HKLM\..\Run: [secure Online Account Numbers]

 

C:\PROGRA~1\Discover\SOAN\SOAN.exe /dontopenmycards

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

 

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Program

 

Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites -

 

http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -

 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Send to OneNote -

 

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

 

C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote -

 

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

 

C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

 

C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

 

C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

 

C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

 

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

 

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

 

Diagnostic\xpnetdiag.exe

O9 - Extra button: Secure Online Account Numbers -

 

{F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} -

 

C:\PROGRA~1\Discover\SOAN\SOAN.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O9 - Extra button: Qwest Live - {25DCC934-B473-41C7-A9CD-B6EDA20FE7F2}

 

- http://qwest.live.com (file missing) (HKCU)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

 

https://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

 

-

 

http://update.microsoft.com/windowsupdate/...en/x86/client/w

 

uweb_site.cab?1148678045515

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

 

-

 

http://update.microsoft.com/microsoftupdat...s/en/x86/client

 

/muweb_site.cab?1148704251984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

 

Object) -

 

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD}

 

- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

 

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative

 

Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative

 

Technology Ltd - C:\Program Files\Creative\Creative

 

Centrale\CTUPnPSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program

 

Files\DellSupport\brkrsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

 

C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: ProtexisLicensing - Unknown owner -

 

C:\WINDOWS\system32\PSIService.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft,

 

Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. -

 

C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

 

--

End of file - 8578 bytes

Share this post


Link to post
Share on other sites

Hi and welome

 

 

Do this first.

Open Notepad, located at the top click on Format....uncheck word wrap.

 

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program

as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

========================

 

 

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

Tutorial if needed

http://thespykiller.co.uk/index.php/topic,5946.0.html

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

 

 

In your next reply post:

Malwarebytes' Anti-Malware log

New HJT log

Share this post


Link to post
Share on other sites

I did the ATF cleaning and then ran the Malwarebytes program. The log:

 

Malwarebytes' Anti-Malware 1.36

Database version: 1997

Windows 5.1.2600 Service Pack 3

 

4/17/2009 6:21:04 PM

mbam-log-2009-04-17 (18-21-04).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 159139

Time elapsed: 43 minute(s), 42 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0132193.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0133543.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP314\A0133549.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP316\A0133673.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP316\A0133674.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP316\A0133675.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP316\A0133676.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP316\A0133677.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP316\A0133678.flw (Trojan.Daonol) -> Quarantined and deleted successfully.

 

 

The post cleanup HJT Log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:27:07 PM, on 4/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\WINDOWS\ehome\ehtray.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\PROGRA~1\Discover\SOAN\SOAN.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\Program Files\Brownie\brpjp04a.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoomail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun

O4 - HKLM\..\Run: [secure Online Account Numbers] C:\PROGRA~1\Discover\SOAN\SOAN.exe /dontopenmycards

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\PROGRA~1\Discover\SOAN\SOAN.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Qwest Live - {25DCC934-B473-41C7-A9CD-B6EDA20FE7F2} - http://qwest.live.com (file missing) (HKCU)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148678045515

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148704251984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

 

--

End of file - 8521 bytes

 

I think my PC is fine now but may be wrong. Please let me know if you think anything more needs to be done.

 

Thank you very much for your assistance. I really appreciate it.

Share this post


Link to post
Share on other sites

I think my PC is fine now but may be wrong. Please let me know if you think anything more needs to be done.

 

Glad it's better but, to be on the safe side let's dig deeper for assurance.

 

 

Your version of Adobe is out of date.

 

You can obtain the latest version of Adobe Reader from here, and the latest version of Flash Player from here.

For more information and links to Adobe updates and downloads click here.

 

 

 

 

NEXT**

Your version of Java is outdated.

 

Please download JavaRa to your desktop and unzip it to its own folder

 

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

 

 

 

 

 

Please download RegQuery by Noviciate to your desktop

  • Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
    • [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
  • Double click RegQuery.exe to run the program
  • Paste the text you have copied using CRTL and V, into the textbox
  • Click the Query button
  • A Notepad file will open. Please paste the contents in your next reply
  • You may now close the RegQuery program
~~~~~~~~~~~~~~~~~~~~~~~~`

 

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

 

Other available links

Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition

    files.

  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)

    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

RegQuery log

Kaspersky log

New HJT log taken after the above scans have run

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Thank you for the advise. I was able to update Abode and Flash but got the following error message while trying to update Java:

 

Warning: Failed to verify the authencity of this certificate because there was an error parsing the certificate.

No assertions can be made of the origin or validity of code.

Installing and running the code is not allowed.

 

Also, once I download the RegQuery software and then try to open the .exe file, I get the following error:

Regquery.exe is not a valid Win32 application.

 

I haven't done the Kaspersky scan, yet thinking that the above steps are essential before the scan.

 

Please advise me on further action.

 

Thank you so much for taking the time to assist me with this problem.

Share this post


Link to post
Share on other sites

Download worksnow from HERE:

 

* IMPORTANT !!! Save worksnow to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

     

  • Double click on worksnow & follow the prompts.

     

    Note: worksnow will run without the Recovery Console installed.

  • As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

     

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

 

Posted Image

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

Posted Image

 

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

"copy/paste" a new HijackThis log file into this thread as well.

 

Notes:

 

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

Give it atleast 20-30 minutes to finish if needed.

 

 

In your next reply post:

C:\ComboFix.txt

Share this post


Link to post
Share on other sites

I did the Combofix scan, the log:

 

ComboFix 09-04-20.02 - XXX 04/19/2009 14:51.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1457 [GMT -7:00]

Running from: c:\documents and settings\XXX\Desktop\worksnow.exe

AV: Windows Live OneCare *On-access scanning disabled* (Updated)

FW: Windows Live OneCare Firewall *disabled*

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))

.

 

2009-04-18 22:33 . 2009-04-18 22:33 -------- d-----w c:\windows\system32\Adobe

2009-04-18 21:40 . 2009-04-18 21:40 -------- d-----w c:\program files\Common Files\Adobe AIR

2009-04-18 21:38 . 2009-04-18 21:38 -------- d-----w C:\Adobe Reader 9 Installer

2009-04-18 21:33 . 2009-04-19 21:23 -------- d-----w c:\documents and settings\All Users\Application Data\NOS

2009-04-18 21:33 . 2009-04-19 21:23 -------- d-----w c:\program files\NOS

2009-04-18 00:26 . 2009-04-18 00:26 -------- d-----w c:\documents and settings\XXX\Application Data\Malwarebytes

2009-04-18 00:26 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-18 00:26 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-18 00:26 . 2009-04-18 00:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-18 00:26 . 2009-04-18 00:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-18 00:00 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-18 00:00 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-18 00:00 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-18 00:00 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-18 00:00 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-18 00:00 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-18 00:00 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-18 00:00 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-04-18 00:00 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-18 00:00 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-17 23:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-17 23:56 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb

2009-04-17 23:56 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

2009-04-17 02:34 . 2009-04-17 02:34 -------- d-----w c:\program files\Trend Micro

2009-04-14 21:41 . 2009-04-14 21:41 -------- d-sh--w c:\documents and settings\YYY\PrivacIE

2009-04-14 02:35 . 2009-04-14 02:36 -------- d-----w c:\program files\Common Files\Corel

2009-04-14 02:34 . 2009-04-14 02:35 -------- d-----w c:\program files\Corel

2009-04-12 19:35 . 2009-04-12 19:35 -------- d-sh--w c:\documents and settings\YYY\IETldCache

2009-04-12 18:58 . 2009-04-12 18:58 -------- d-sh--w c:\documents and settings\XXX\IECompatCache

2009-04-12 18:55 . 2009-04-12 18:55 -------- d-sh--w c:\documents and settings\XXX\PrivacIE

2009-04-12 18:53 . 2009-04-12 18:53 -------- d-sh--w c:\documents and settings\LocalService\IETldCache

2009-04-12 18:53 . 2009-04-12 18:53 -------- d-sh--w c:\documents and settings\XXX\IETldCache

2009-04-12 18:48 . 2009-04-12 18:48 -------- d-----w c:\windows\ie8updates

2009-04-12 18:45 . 2009-04-12 18:46 -------- dc-h--w c:\windows\ie8

2009-04-12 18:43 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

2009-04-06 03:21 . 2009-04-06 03:21 1409 ----a-w c:\windows\QTFont.for

2009-04-06 03:21 . 2009-04-06 03:21 54156 ---ha-w c:\windows\QTFont.qfn

2009-03-30 00:44 . 2009-03-30 00:44 -------- d-----w c:\program files\Yahoo! Games

2009-03-29 19:25 . 2009-03-29 19:25 552 ----a-w c:\windows\system32\DO_NOT_DELETE.backupSetID

2009-03-21 23:25 . 2007-02-03 00:11 135168 ----a-w c:\windows\system32\BhoDshop.dll

2009-03-21 23:25 . 2007-02-03 00:11 167936 ----a-w c:\windows\system32\FFDshop.dll

2009-03-21 23:25 . 2009-03-21 23:25 -------- d-----w c:\program files\Discover

2009-03-21 23:25 . 2007-02-03 00:11 98304 ----a-w c:\windows\system32\OBroker.exe

2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-19 21:23 . 2008-10-08 03:35 -------- d-----w c:\program files\Microsoft Windows OneCare Live

2009-04-18 21:54 . 2009-04-18 21:47 1785 ----a-w C:\JavaRa.log

2009-04-18 21:40 . 2006-05-24 23:46 -------- d-----w c:\program files\Common Files\Adobe

2009-04-18 00:04 . 2008-04-12 02:22 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-04-15 02:51 . 2006-05-18 12:17 -------- d-----w c:\program files\Dell

2009-04-14 02:42 . 2006-05-24 23:41 7520 --sha-w c:\windows\system32\KGyGaAvL.sys

2009-04-07 22:42 . 2008-10-13 02:43 -------- d-----w c:\documents and settings\YYY\Application Data\Skype

2009-04-07 22:41 . 2008-10-13 02:48 -------- d-----w c:\documents and settings\YYY\Application Data\skypePM

2009-03-21 23:25 . 2006-05-18 12:17 -------- d--h--w c:\program files\InstallShield Installation Information

2009-03-15 21:55 . 2009-03-15 21:55 -------- d-----w c:\documents and settings\XXX\Application Data\Skype

2009-03-08 21:09 . 2007-08-14 02:43 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe

2009-03-08 21:09 . 2007-08-14 02:39 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll

2009-03-08 11:41 . 2006-05-19 15:06 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll

2009-03-08 11:39 . 2007-12-01 17:24 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll

2009-03-08 11:34 . 2006-05-10 05:25 914944 ----a-w c:\windows\system32\dllcache\wininet.dll

2009-03-08 11:34 . 2005-08-16 09:18 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 11:34 . 2006-05-10 05:25 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll

2009-03-08 11:34 . 2007-08-14 02:54 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll

2009-03-08 11:34 . 2007-08-14 02:44 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll

2009-03-08 11:34 . 2005-08-16 09:18 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 11:34 . 2007-08-14 02:44 105984 ----a-w c:\windows\system32\dllcache\url.dll

2009-03-08 11:34 . 2007-08-14 02:44 109568 ----a-w c:\windows\system32\dllcache\occache.dll

2009-03-08 11:34 . 2006-05-10 05:25 193536 ----a-w c:\windows\system32\dllcache\msrating.dll

2009-03-08 11:33 . 2006-09-18 14:15 759296 ----a-w c:\windows\system32\dllcache\VGX.dll

2009-03-08 11:33 . 2009-03-08 11:33 18944 ------w c:\windows\system32\dllcache\corpol.dll

2009-03-08 11:33 . 2005-08-16 09:18 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 11:33 . 2006-05-10 05:25 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll

2009-03-08 11:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll

2009-03-08 11:33 . 2007-08-14 02:39 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll

2009-03-08 11:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll

2009-03-08 11:33 . 2005-08-16 09:18 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 11:33 . 2007-08-14 02:39 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll

2009-03-08 11:32 . 2007-08-14 02:39 72704 ----a-w c:\windows\system32\dllcache\admparse.dll

2009-03-08 11:32 . 2005-08-16 09:18 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 11:32 . 2007-08-14 02:39 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe

2009-03-08 11:32 . 2007-08-14 01:56 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll

2009-03-08 11:32 . 2007-08-14 02:39 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll

2009-03-08 11:32 . 2007-08-14 02:39 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll

2009-03-08 11:32 . 2005-08-16 09:18 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 11:32 . 2007-08-14 02:39 128512 ----a-w c:\windows\system32\dllcache\advpack.dll

2009-03-08 11:32 . 2006-05-10 05:25 94720 ----a-w c:\windows\system32\dllcache\inseng.dll

2009-03-08 11:32 . 2007-12-01 17:24 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll

2009-03-08 11:32 . 2007-12-01 17:24 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll

2009-03-08 11:32 . 2006-05-10 05:25 611840 ----a-w c:\windows\system32\dllcache\mstime.dll

2009-03-08 11:24 . 2007-08-14 02:18 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll

2009-03-08 11:22 . 2007-08-14 02:54 156160 ----a-w c:\windows\system32\dllcache\msls31.dll

2009-03-08 11:22 . 2005-08-16 09:18 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-08 11:11 . 2007-12-01 17:24 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll

2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll

2009-02-23 01:46 . 2009-02-23 01:46 4096 ----a-w c:\windows\d3dx.dat

2009-02-23 01:32 . 2007-04-20 01:26 -------- d-----w c:\documents and settings\All Users\Application Data\Napster

2009-02-19 01:42 . 2006-05-25 00:03 71232 ----a-w c:\documents and settings\YYY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 11:13 . 2008-10-16 14:51 1846784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys

2009-02-08 02:02 . 2008-10-16 14:50 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-07 04:07 . 2007-12-01 17:24 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat

2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe

2009-02-06 11:08 . 2008-10-16 14:50 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-06 11:06 . 2008-10-16 14:50 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe

2009-02-06 10:32 . 2008-10-16 14:50 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll

2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll

2009-02-01 21:43 . 2006-05-26 20:33 71232 ----a-w c:\documents and settings\XXX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-07-28 20:17 . 2008-07-28 20:17 70456 ----a-w c:\documents and settings\YYY\Application Data\GDIPFONTCACHEV1.DAT

2006-05-26 20:34 . 2006-05-24 18:58 141 ----a-w c:\documents and settings\XXX\Local Settings\Application Data\fusioncache.dat

2006-05-25 00:03 . 2006-05-24 23:34 140 ----a-w c:\documents and settings\YYY\Local Settings\Application Data\fusioncache.dat

2005-08-17 01:52 . 2005-08-17 01:52 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat

2008-09-29 16:40 . 2006-06-01 17:46 88 --sh--r c:\windows\system32\58C651868C.sys

2008-05-11 19:01 . 2006-05-24 23:41 104 --sh--r c:\windows\system32\8C8651C658.sys

2008-10-07 02:58 . 2008-10-07 02:58 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100620081007\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-08-01 815104]

"Secure Online Account Numbers"="c:\progra~1\Discover\SOAN\SOAN.exe" [2007-02-03 233472]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-18 24576]

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave"= serwvdrv.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]

S2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2008-11-06 110304]

S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]

S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-03-22 24936]

S2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

 

2009-04-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoomail.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = <local>

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-19 14:54

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(648)

c:\windows\system32\igfxdev.dll

 

- - - - - - - > 'explorer.exe'(804)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-04-19 14:56

ComboFix-quarantined-files.txt 2009-04-19 21:56

 

Pre-Run: 29,930,049,536 bytes free

Post-Run: 29,968,662,528 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

 

231 --- E O F --- 2009-04-18 00:08

The HJT log after the combofixscan:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:07:21 PM, on 4/19/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\PROGRA~1\Discover\SOAN\SOAN.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoomail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun

O4 - HKLM\..\Run: [secure Online Account Numbers] C:\PROGRA~1\Discover\SOAN\SOAN.exe /dontopenmycards

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\PROGRA~1\Discover\SOAN\SOAN.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Qwest Live - {25DCC934-B473-41C7-A9CD-B6EDA20FE7F2} - http://qwest.live.com (file missing) (HKCU)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148678045515

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148704251984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

 

--

End of file - 8196 bytes

 

Please let me know on further course of action. Thank you for everything.

Share this post


Link to post
Share on other sites

Welcome back

 

 

Please highlight and Copy the text inside the code box below:

 

reg query "HKLM\software\microsoft\windows nt\currentversion\drivers32" /s >look2.txt
start notepad look.txt
exit
cls

 

Click Start > Run, and, in the Open area, type: cmd

Press: Enter to open a command window.

Right-click by the blinking cursor in the command window and select: Paste

The command window will close and a log will open on your Desktop.

 

Please post the contents of the look2.txt in your reply.

Share this post


Link to post
Share on other sites

On executing the command, I got a prompt, "Cannot find file. Do you want to create look.txt" I clicked yes and it opened a blank notepad window. On repeating the command, it just opens a blank notepad.

 

Thank you

Share this post


Link to post
Share on other sites

Welcome back

 

 

Let's see if we can get a Panda online scan.

 

This is to check for remnants or hidden items.

 

 

Perform an online scan with Panda ActiveScan

* Click on Scan Your PC Now

* A "pop up" window will appear, or a new tab will open.

* Click on Register

* Choose the option you like most, but we recommend the Free Registration.

 

Click on Register Posted Image

# Enter your e-mail address, and create a password.

# Select "I do not want to receive any type of information". (unless you want to receive such information)

# Click on Send

# Confirm registration, and continue by entering your user name and password, then click on Enter

# Select Full Scan, then Click on Scan Now

# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.

# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect

# Please ignore the offer to buy the program.

 

Click on Export To

Posted Image

 

* Export the log and save it to your desktop.

* Please post the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

 

 

In your next reply post:

Panda log

new HJT log

 

 

Computer doing OK?

Share this post


Link to post
Share on other sites

The Panda Log:

 

;***********************************************************************************************************************************************************************************

ANALYSIS: 2009-04-25 16:57:19

PROTECTIONS: 1

MALWARE: 8

SUSPECTS: 0

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

Windows Live OneCare 1.0.0 Yes Yes

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\XXX\Cookies\XXX@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\XXX\Cookies\XXX@atdmt[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\XXX\Cookies\XXX@fastclick[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\XXX\Cookies\XXX@apmebf[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\XXX\Cookies\XXX@burstnet[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\XXX\Cookies\XXX@advertising[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\XXX\Cookies\XXX@realmedia[1].txt

05429485 Generic Malware Virus/Trojan No 0 Yes Yes C:\Documents and Settings\XXX\Desktop\worksnow.exe

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

;===================================================================================================================================================================================

VULNERABILITIES

Id Severity Description

;===================================================================================================================================================================================

;===================================================================================================================================================================================

 

 

The HJT Log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:04:23 PM, on 4/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\PROGRA~1\Discover\SOAN\SOAN.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Brownie\brpjp04a.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoomail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun

O4 - HKLM\..\Run: [secure Online Account Numbers] C:\PROGRA~1\Discover\SOAN\SOAN.exe /dontopenmycards

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\PROGRA~1\Discover\SOAN\SOAN.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Qwest Live - {25DCC934-B473-41C7-A9CD-B6EDA20FE7F2} - http://qwest.live.com (file missing) (HKCU)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148678045515

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148704251984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

 

--

End of file - 8517 bytes

 

 

The computer has been doing good since the first cleanup. The Panda log shows "worksnow" as a torjan, which was downloaded during our disinfection process.

 

Please advise on further action. Also, could you please recommend a anti virus/spyware/malware progam. I have the Windows Onecare program which seemed to have been doing OK until this problem I ran into a few weeks back.

 

Thank you for all your assistance.

Share this post


Link to post
Share on other sites

Welcome back

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

 

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

 

O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2

(Dell's support tool bundled on their computers. Can be run as necessary)

 

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"

(Description: Adobe reader startup - unnecessarily uses system resources.)

 

 

Now please reboot the computer to set the registry.

 

 

 

 

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Example below

 

 

Posted Image

 

 

The computer has been doing good since the first cleanup.

Good deal :tup:

 

The Panda log shows "worksnow" as a torjan, which was downloaded during our disinfection process.

 

Yes, thats a false/positive.

 

Please advise on further action. Also, could you please recommend a anti virus/spyware/malware progam.

I have the Windows Onecare program which seemed to have been doing OK until this problem I ran into a few weeks back.

Of course.

 

I can give you links to free Antivirus and Firewall programs which are used by a very many.

What you'll probably have to do is experiment some what to find one that runs well on your machine.

 

Avira

 

 

Avast!

How to Install, Configure, and Use Avast Antivirus

 

AVG Free ,

Help overview http://free.grisoft.com/doc/5/us/frt/0/num/616#faq_616

This is a very useful read:

http://grandstreamdreams.blogspot.com/2008...-version-8.html

 

Never install more than one antivirus scanner or firewall on your system

 

Free Antivirus With Resident Protection and other related resources.

http://users.telenet.be/bluepatchy/miekiem...irus%20Scanners

For paid products, NOD32 by Eset and Kaspersky

 

 

You can see some product comparisons here:

www.av-comparatives.org

 

~~~~~~~~~~~~~~~~~~~~~~~~

If installing a Firewall please disable WIndows XP Firewall.

To disable Windows Firewall, follow these steps:

1. Click Start.

2. Click Run.

3. Type Firewall.cpl, and then click OK.

4. On the General tab, click Off (not recommended).

5. Click OK.

********************

 

The following FREE Firewall versions are:

Zone Alarm free:

http://www.zonealarm.com/store/content/cat...ry=US〈=en

PDF documention for Zone Alarm available here:

http://www.zonealarm.com/store/content/sup...a/znalmMain.jsp

If you are going to try Zone Alarm I suggest to just install the basic firewall so the bundled trial Antivirus does not get installed, Also I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com. You can read more about Ask.com http://www.benedelman.org/spyware/installa...kjeeves-banner/

 

Comodo free:

http://www.personalfirewall.comodo.com/

If you want only the Firewall, you can de-select Install Comodo AntiVirus during the installation process.

http://forums.comodo.com/firewall_faq/wher...l-t27112.0.html

Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")

 

Sunbelt kerio:

http://www.sunbelt-software.com/Home-Home-...ewall/Download/

PDF documentation for Sunbelt Kerio available here:

http://www.sunbelt-software.com/Home-Home-.../Documentation/

 

Online Armor Free

http://www.tallemu.com/free-firewall-prote...n-software.html

 

Jetico free:

http://www.jetico.com/index.htm#/jpfirewall.htm

 

Note: You must only use 1 (one) Firewall at a time because if you have 2 or more Firewalls running at the same time, they will conflict with each other and make your security less reliable.

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

 

For a tutorial on Firewalls and a listing of available ones see the link Here

 

 

 

charuhans, you should be good to go, good job!

 

 

 

 

Please take the time to read over a few of my preventive tips.

 

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 3

The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

 

Read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Free Antivirus-AntiSpyware-Firewall Software

Slow Computer May Not Be Malware Related, Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

 

 

PC Safety and Security--What Do I Need?

http://www.techsupportforum.com/security-c...-do-i-need.html

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

This site offers people who have been (or are) victims of malware the opportunity to document their story.

 

Extra note:

Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Share this post


Link to post
Share on other sites

Glad we could help. :)Posted Image

 

Since this issue appears resolved ... this Topic is closed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×