View Full Version : Just can't get all the bugs off!
MichiganGirl
2007-07-29, 17:18
I was getting pop-up IE and Firefox windows. I disabled system restore. Then scanned in regular and safe modes with: Adware SE Professional, Spybot S&D, Spyware Blaster, and AVG AntiSpyware.
Then I realized that on Spybot it let something change my IE settings to allow all cookies and being able to download everything. Last night I got avast anti-virus, and it took off a few things. But I'm still getting a pop-up tab in Firefox, and I dare not even use IE.
I took off things from the allow list in Spybot, so it should ask me if I want to allow the changes in IE settings, but it still resets my IE options when I start the computer!
Is there anything that can help? I'm really fed up with this!
Thanks.
steamwiz
2007-07-29, 20:31
Hi
First ... turn system restore back on & make st=ure you have a valid retore point, even an infected restore point is better than none...
THEN...
Download a self-extracting copy of HijackThis from :-
http://downloads.malwareremoval.com/hijackthis_sfx.exe
1. save it to your Desktop.
2. Double-click on the file hijackthis_sfx.exe and it will self-extract into its own folder,
C:\Program Files\HijackThis
3. Go to this folder and run the hijackthis.exe file
4. click Do a system scan and save a logfile
5. Copy & paste the logfile into your next post here...
steam
MichiganGirl
2007-07-31, 01:53
Logfile of HijackThis v1.99.1
Scan saved at 7:49:26 PM, on 7/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\FCyberAlert\Syslogin.exe
C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and
Settings\Anisah\Desktop\Downloads\hijackthis\HijackT
his.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/default
s/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/default
s/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.pageaday.com/pad/2007CATS/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://red.clientapps.yahoo.com/customize/ie/default
s/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/default
s/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/default
s/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ie/default
s/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Windows Internet
Explorer provided by Comcast
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Inter
net Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) -
{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) -
~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) -
{02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) -
{3964D8D6-86D0-493A-B460-A805B5401114} -
C:\WINDOWS\System32\mljhggd.dll (file missing)
O2 - BHO: (no name) -
{53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) -
{60875658-630e-4dfa-84d3-806432bdc66d} -
C:\WINDOWS\System32\vvdiais.dll
O2 - BHO: (no name) -
{706706E8-3111-423C-B165-69AD659F541C} - (no file)
O2 - BHO: (no name) -
{72F6D9A2-853F-41ED-AC9F-62E1CB8E7639} - (no file)
O2 - BHO: PeoplePC ScamGuard -
{7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - c:\program
files\peoplepc\toolbar\scamgrd.dll
O2 - BHO: (no name) -
{A01FE583-05C0-49EB-AF73-C13FDE6DF8AF} -
C:\WINDOWS\System32\ssttr.dll (file missing)
O2 - BHO: (no name) -
{A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) -
{AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) -
{FD4AE849-FEDD-4564-A873-D3EA7592F76B} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program
Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FamilyCyberAlert]
C:\WINDOWS\system32\FCyberAlert\Syslogin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program
Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: Open with ScanSoft PDF
Converter 4.0 - res://C:\Program Files\ScanSoft\PDF
Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(Installation Support) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
(MSN Photo Upload Tool) -
http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3}
(CamImage Class) -
O18 - Protocol: msnim -
{828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddayx - C:\WINDOWS\
O20 - Winlogon Notify: mljhggd - mljhggd.dll (file
missing)
O20 - Winlogon Notify: ssttr -
C:\WINDOWS\System32\ssttr.dll (file missing)
O23 - Service: avast! iAVS4 Control Service
(aswUpdSv) - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software -
C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner -
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe"
/service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner -
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe"
/service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT
s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\guard.exe
O23 - Service: DomainService - Unknown owner -
C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: InstallDriver Table Manager
(IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation -
C:\Program Files\Common Files\Sony
Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel,
Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service
(TUWinStylerThemeSvc) - TuneUp Software GmbH -
C:\Program Files\TuneUp Utilities
2004\WinStylerThemeSvc.exe
O23 - Service: Windows User Mode Driver Framework
(UMWdf) - Unknown owner -
C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) -
Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
steamwiz
2007-07-31, 18:22
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".
7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...
Keep running vundofix untill it gives you the message "no infected files were found"
-
Before you post your next hjackthis log, at the top of the log, click "format" ... uncheck "wordwrap" the check it again...
steam
MichiganGirl
2007-08-01, 16:48
Thanks Steamwiz. I got that and scanned. It found nothing.
From my scans it seems to be called WhyPPC, or at least that's something that my programs keeps deleting.
I'm probably gonna have to redo the computer. I was trying to avoid that.
Anyone have anything else I can try first?
Thanks.
steamwiz
2007-08-01, 23:09
HI
You have nothing we can't fix, there is no need to "redo the computer"
I'd still like to see the log from vundofix ... even if it did fund nothing... I'd like to see the header...
& a new hijackthis ... the one you posted is very hard to read ... but does show malware.. see my last post for what to do before posting a new one...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
MichiganGirl
2007-08-02, 17:37
Here is the log for Vundo Fix:
VundoFix V6.5.6
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 11:34:53 PM 7/31/2007
Listing files found while scanning....
No infected files were found.
I ran Spyware doctor, then Combo fix. Here is the Combo fix log:
ComboFix 07-07-30.2 - "Anisah" 2007-08-02 10:36:14.2 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))
2007-08-01 22:42 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-01 22:42 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-01 22:42 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-01 22:42 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-01 22:42 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-01 22:41 <DIR> d-------- C:\DOCUME~1\Anisah\APPLIC~1\PC Tools
2007-08-01 22:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-01 22:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 23:34 <DIR> d-------- C:\VundoFix Backups
2007-07-30 15:56 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-30 15:54 <DIR> d-------- C:\Program Files\Kitty Luv
2007-07-29 13:29 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-29 13:29 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-29 13:29 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-29 13:29 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-29 00:30 <DIR> d-------- C:\Program Files\Safer Networking
2007-07-28 10:23 1,760,645 ---hs---- C:\WINDOWS\system32\rttss.bak2
2007-07-26 12:39 6,466 ---hs---- C:\WINDOWS\system32\rttss.bak1
2007-07-26 12:34 926,352 -r-hs---- C:\WINDOWS\chhgudkA.exe
2007-07-26 12:34 171,520 --a------ C:\WINDOWS\system32\vvdiais.dll
2007-07-26 12:34 <DIR> d-------- C:\Temp\0c2
2007-07-26 12:33 <DIR> d-------- C:\Temp\brr
2007-07-26 12:33 <DIR> d-------- C:\Temp
2007-07-26 08:30 147,456 --a------ C:\WINDOWS\system32\AbsoluteHttp.dll
2007-07-26 08:30 1,392,671 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-07-26 08:30 <DIR> d-------- C:\WINDOWS\system32\FCyberAlert
2007-07-25 14:00 <DIR> d-------- C:\Program Files\iPod
2007-07-25 13:59 <DIR> d-------- C:\Program Files\iTunes
2007-07-25 13:41 <DIR> d-------- C:\Program Files\QuickTime
2007-07-25 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-24 15:48 <DIR> d-------- C:\Program Files\Aurelon PhotoPro
2007-07-23 11:24 <DIR> d-------- C:\Program Files\support.com
2007-07-23 11:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-07-16 09:03 <DIR> d-------- C:\DOCUME~1\Anisah\APPLIC~1\Snapfish
2007-07-16 08:32 45,152 --------- C:\WINDOWS\system32\PPCOUNIN.exe
2007-07-16 08:09 <DIR> d-------- C:\Program Files\Common Files\PeoplePC
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-02 08:16 --------- d-------- C:\Program Files\Spyware Doctor
2007-07-31 23:24 --------- d-------- C:\Program Files\FTM
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-26 18:34 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-26 12:34 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-26 10:20 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\XnView
2007-07-25 13:38 --------- d-------- C:\Program Files\Apple Software Update
2007-07-25 13:08 --------- d-------- C:\Program Files\MSN Messenger
2007-07-25 11:12 --------- d-------- C:\Program Files\FontExpert
2007-07-23 11:26 --------- d-------- C:\Program Files\BroadJump
2007-07-20 15:35 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\Snappy Fax 2000
2007-07-16 09:03 4329 --a------ C:\WINDOWS\mozver.dat
2007-07-16 08:32 --------- d-------- C:\Program Files\PeoplePC
2007-06-27 15:05 --------- d-------- C:\Program Files\Sony
2007-06-27 15:01 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\Aim
2007-06-15 06:13 --------- d-------- C:\Program Files\AIM
2007-06-07 21:18 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\Viewpoint
2007-05-02 21:50 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2006-02-10 15:45 1740 --a------ C:\Program Files\Adobe Reader 7.0.lnk
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60875658-630e-4dfa-84d3-806432bdc66d}]
2007-07-26 12:34 171520 --a------ C:\WINDOWS\System32\vvdiais.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{706706E8-3111-423C-B165-69AD659F541C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72F6D9A2-853F-41ED-AC9F-62E1CB8E7639}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD4AE849-FEDD-4564-A873-D3EA7592F76B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 00:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhggd]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.1.lnk
backup=C:\WINDOWS\pss\eFax 4.1.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MightyFAX Controller.lnk
backup=C:\WINDOWS\pss\MightyFAX Controller.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anisah^Start Menu^Programs^Startup^Firefox.lnk]
path=C:\Documents and Settings\Anisah\Start Menu\Programs\Startup\Firefox.lnk
backup=C:\WINDOWS\pss\Firefox.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
"C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF4 Registry Controller]
"C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PuttPuttMoon.exe]
C:\DOCUME~1\Anisah\Desktop\DOWNLO~1\PUTTPU~1.EXE /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartMeSGS]
C:\Program Files\SOS Online Backup\SOS Online Backup v1.3\sosuploadagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\WINDOWS\TISKY009.exe SKY009
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
R3 IKFileFlt;File Filter Driver;C:\WINDOWS\System32\drivers\ikfileflt.sys
R3 IKFileSec;File Security Driver;C:\WINDOWS\System32\drivers\ikfilesec.sys
R3 IkSysFlt;System Filter Driver;C:\WINDOWS\System32\drivers\iksysflt.sys
R3 IKSysSec;System Security Driver;C:\WINDOWS\System32\drivers\iksyssec.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\System32\Drivers\BW2NDIS5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 pmxscan;Memorex USB Kernel;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Anisah\LOCALS~1\Temp\tni1F.tmp
S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service;C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Contents of the 'Scheduled Tasks' folder
2007-07-27 22:25:26 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
2007-07-25 18:38:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-02 05:00:01 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 14:00:03 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 15:00:01 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 16:00:01 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 17:00:05 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 18:00:04 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 19:00:02 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 20:00:02 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 21:00:01 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 22:00:03 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-01 23:00:01 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 06:00:00 C:\WINDOWS\Tasks\At2.job
2007-08-02 00:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 01:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 02:00:06 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 03:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 04:00:16 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 07:00:02 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 08:00:06 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 09:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 10:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 11:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 12:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\System32\yk4awMYE.exe
2007-08-02 13:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\yk4awMYE.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 10:54:47
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-02 10:59:16
C:\ComboFix-quarantined-files.txt ... 2007-08-02 10:58
C:\ComboFix2.txt ... 2007-08-01 22:33
--- E O F ---
I can't post my hijack this in the same post, so I'll post it next. Thanks so much for your help!
MichiganGirl
2007-08-02, 17:40
My hijack this log. I thought I had removed all entries that said no file, except for the wdfmgr.exe one, someone told me not to remove it, but they're all back again. After I did hijack this, they kept trying to get back on, and I could not click deny, I had to x out of the teabot notifications.
Logfile of HijackThis v1.99.1
Scan saved at 11:12:23 AM, on 8/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Anisah\Desktop\Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pageaday.com/pad/2007CATS/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60875658-630e-4dfa-84d3-806432bdc66d} - C:\WINDOWS\System32\vvdiais.dll
O2 - BHO: (no name) - {706706E8-3111-423C-B165-69AD659F541C} - (no file)
O2 - BHO: (no name) - {72F6D9A2-853F-41ED-AC9F-62E1CB8E7639} - (no file)
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - c:\program files\peoplepc\toolbar\scamgrd.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - {FD4AE849-FEDD-4564-A873-D3EA7592F76B} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O20 - Winlogon Notify: ddayx - C:\WINDOWS\
O20 - Winlogon Notify: mljhggd - C:\WINDOWS\
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
When I start or restart my computer, something comes up that says Configuration settings have changed, and it takes me to setup, but I just exit out of setup. Does that have anything to do with any of the bugs?
Thanks again!
steamwiz
2007-08-02, 21:35
Hi
The vundofix log shows your java is out-of-date
jre1.5.0 now has update _11 ... But jre1.6.0 is much faster...
Go to add/remove programs and uninstall any earlier versions ... (jre1.5.0.6)
Then You can go here and install the latest version of Java.
http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6' and press the 'Download' button.
Running an out-of-date version of java is an infection risk.
-
When I start or restart my computer, something comes up that says Configuration settings have changed, and it takes me to setup, but I just exit out of setup. Does that have anything to do with any of the bugs?
Thanks again!
No this has nothing to do with malware ... it's because you've unchecked items in Msconfig (startup tab) ... just check the box which says " don't show this again"
-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\chhgudkA.exe
C:\WINDOWS\system32\vvdiais.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Folder::
C:\VundoFix Backups
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60875658-630e-4dfa-84d3-806432bdc66d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{706706E8-3111-423C-B165-69AD659F541C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72F6D9A2-853F-41ED-AC9F-62E1CB8E7639}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD4AE849-FEDD-4564-A873-D3EA7592F76B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhggd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
MichiganGirl
2007-08-03, 03:32
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
I got the newer Java. But when I tried to drag that text file to Combo Fix, it just rearranged the files, it did not open it at all. How do I get it to open it?
MichiganGirl
2007-08-03, 04:07
Well I right clicked on the file and went to Open With, and chose Combo Fix, since it wouldn't open it when I tried to drag it on top of it. So I did get a scan, hopefully what you wanted. Here's the results:
ComboFix 07-07-30.2 - "Anisah" 2007-08-02 21:34:29.3 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Anisah\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Temp
C:\Temp\0c2\tmpFF.log
C:\Temp\brr\tmpZTF.log
C:\VundoFix Backups
C:\WINDOWS\chhgudkA.exe
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\vvdiais.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))
2007-08-01 22:42 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-01 22:42 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-01 22:42 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-01 22:42 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-01 22:42 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-01 22:41 <DIR> d-------- C:\DOCUME~1\Anisah\APPLIC~1\PC Tools
2007-08-01 22:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-01 22:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 15:56 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-30 15:54 <DIR> d-------- C:\Program Files\Kitty Luv
2007-07-29 13:29 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-29 13:29 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-29 13:29 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-29 13:29 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-29 00:30 <DIR> d-------- C:\Program Files\Safer Networking
2007-07-26 08:30 147,456 --a------ C:\WINDOWS\system32\AbsoluteHttp.dll
2007-07-26 08:30 1,392,671 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-07-26 08:30 <DIR> d-------- C:\WINDOWS\system32\FCyberAlert
2007-07-25 14:00 <DIR> d-------- C:\Program Files\iPod
2007-07-25 13:59 <DIR> d-------- C:\Program Files\iTunes
2007-07-25 13:41 <DIR> d-------- C:\Program Files\QuickTime
2007-07-25 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-24 15:48 <DIR> d-------- C:\Program Files\Aurelon PhotoPro
2007-07-23 11:24 <DIR> d-------- C:\Program Files\support.com
2007-07-23 11:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-07-16 09:03 <DIR> d-------- C:\DOCUME~1\Anisah\APPLIC~1\Snapfish
2007-07-16 08:32 45,152 --------- C:\WINDOWS\system32\PPCOUNIN.exe
2007-07-16 08:09 <DIR> d-------- C:\Program Files\Common Files\PeoplePC
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-02 08:16 --------- d-------- C:\Program Files\Spyware Doctor
2007-07-31 23:24 --------- d-------- C:\Program Files\FTM
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-26 18:34 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-26 12:34 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-26 10:20 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\XnView
2007-07-25 13:38 --------- d-------- C:\Program Files\Apple Software Update
2007-07-25 13:08 --------- d-------- C:\Program Files\MSN Messenger
2007-07-25 11:12 --------- d-------- C:\Program Files\FontExpert
2007-07-23 11:26 --------- d-------- C:\Program Files\BroadJump
2007-07-20 15:35 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\Snappy Fax 2000
2007-07-16 09:03 4329 --a------ C:\WINDOWS\mozver.dat
2007-07-16 08:32 --------- d-------- C:\Program Files\PeoplePC
2007-06-27 15:05 --------- d-------- C:\Program Files\Sony
2007-06-27 15:01 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\Aim
2007-06-15 06:13 --------- d-------- C:\Program Files\AIM
2007-06-07 21:18 --------- d-------- C:\DOCUME~1\Anisah\APPLIC~1\Viewpoint
2007-05-02 21:50 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2006-02-10 15:45 1740 --a------ C:\Program Files\Adobe Reader 7.0.lnk
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 00:04]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.1.lnk
backup=C:\WINDOWS\pss\eFax 4.1.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MightyFAX Controller.lnk
backup=C:\WINDOWS\pss\MightyFAX Controller.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anisah^Start Menu^Programs^Startup^Firefox.lnk]
path=C:\Documents and Settings\Anisah\Start Menu\Programs\Startup\Firefox.lnk
backup=C:\WINDOWS\pss\Firefox.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
"C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF4 Registry Controller]
"C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PuttPuttMoon.exe]
C:\DOCUME~1\Anisah\Desktop\DOWNLO~1\PUTTPU~1.EXE /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartMeSGS]
C:\Program Files\SOS Online Backup\SOS Online Backup v1.3\sosuploadagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\System32\Drivers\BW2NDIS5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 IKFileFlt;File Filter Driver;C:\WINDOWS\System32\drivers\ikfileflt.sys
S3 IKFileSec;File Security Driver;C:\WINDOWS\System32\drivers\ikfilesec.sys
S3 IkSysFlt;System Filter Driver;C:\WINDOWS\System32\drivers\iksysflt.sys
S3 IKSysSec;System Security Driver;C:\WINDOWS\System32\drivers\iksyssec.sys
S3 pmxscan;Memorex USB Kernel;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Anisah\LOCALS~1\Temp\tni1F.tmp
S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service;C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
Contents of the 'Scheduled Tasks' folder
2007-07-27 22:25:26 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
2007-07-25 18:38:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 21:49:05
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-02 21:51:57
C:\ComboFix-quarantined-files.txt ... 2007-08-02 21:50
C:\ComboFix2.txt ... 2007-08-02 10:59
C:\ComboFix3.txt ... 2007-08-01 22:33
--- E O F ---
MichiganGirl
2007-08-03, 04:11
Here's my new hijack this log. Seems to be the same. After I try to remove things, I always get Spybot S&D asking if I want to change something, and I don't always know if it's asking if I want to change it, or if something else is trying to change it back. After I scanned, something kept trying to change soemthing that was on the deny list, and I had to reboot my pc or it would keep popping up the window saying it was denied.
Logfile of HijackThis v1.99.1
Scan saved at 9:58:19 PM, on 8/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Anisah\Desktop\Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pageaday.com/pad/2007CATS/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60875658-630e-4dfa-84d3-806432bdc66d} - (no file)
O2 - BHO: (no name) - {706706E8-3111-423C-B165-69AD659F541C} - (no file)
O2 - BHO: (no name) - {72F6D9A2-853F-41ED-AC9F-62E1CB8E7639} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - c:\program files\peoplepc\toolbar\scamgrd.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - {FD4AE849-FEDD-4564-A873-D3EA7592F76B} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O20 - Winlogon Notify: ddayx - C:\WINDOWS\
O20 - Winlogon Notify: mljhggd - C:\WINDOWS\
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
The error I told you about earlier didn't come up after Windows is already booted, but before Windows Loads. It said it is a POST Startup Error, 2 of them, 262 and 162. So it's not that popup that comes when you start your computer after you change something, I know how to deal with that.
Thanks!
steamwiz
2007-08-03, 22:06
Hi
I don't know why combofix wouldn't accept the cfscript.txt file ... but well done for getting it to run (it worked OK)
Actualy... it removed all the files & the registry entries from hijackthis... when you got the messages from spybot, you should have allowed the changes... by denying them, you caused spybot to put them back...
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.
You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm
THEN run hijackthis & fix these :-
R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - (no file)
O2 - BHO: (no name) - {60875658-630e-4dfa-84d3-806432bdc66d} - (no file)
O2 - BHO: (no name) - {706706E8-3111-423C-B165-69AD659F541C} - (no file)
O2 - BHO: (no name) - {72F6D9A2-853F-41ED-AC9F-62E1CB8E7639} - (no file)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - {FD4AE849-FEDD-4564-A873-D3EA7592F76B} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} -
O20 - Winlogon Notify: ddayx - C:\WINDOWS\
O20 - Winlogon Notify: mljhggd - C:\WINDOWS\
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
Then ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
steam
MichiganGirl
2007-08-04, 21:56
Here's my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 9:55:01 AM, on 8/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Anisah\Desktop\Downloads\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pageaday.com/pad/2007CATS/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
MichiganGirl
2007-08-04, 21:58
Here's my super Anti Spyware Scan. How does it look?
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/04/2007 at 03:41 PM
Application Version : 3.9.1008
Core Rules Database Version : 3279
Trace Rules Database Version: 1290
Scan type : Complete Scan
Total Scan Time : 05:19:35
Memory items scanned : 332
Memory threats detected : 0
Registry items scanned : 5864
Registry threats detected : 4
File items scanned : 144544
File threats detected : 4
Browser Hijacker.Apropos Media/PeopleOnPage
HKLM\Software\Classes\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\Implemented Categories
HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Adware.Tracking Cookie
C:\Documents and Settings\Anisah\cookies\anisah@www.incentaclick[1].txt
C:\Documents and Settings\Anisah\cookies\anisah@cpvfeed[2].txt
Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VVDIAIS.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{592C7A0A-63B0-46E1-8215-E7D1E50ED8A4}\RP11\A0015388.DLL
steamwiz
2007-08-04, 23:51
Hi
remove these entries, red.clientapps is connected with spyware ...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
& you can delete this folder :- C:\QOOBOX
Then you're all clear ... is your problem resolved ?
steam
MichiganGirl
2007-08-05, 01:22
Then you're all clear ... is your problem resolved ?
steam
Everything seems to be running good and fast.
I'd like some advice on what exactly I need to do to keep this stuff off my computer. I use Zone Alarm Firewall, and Search and Destroy Teatimer, but those weren't keeping things off. In trying to get that stuff of I have Avast anti-virus running as well. What do you recommend be running to keep stuff of in real-time, and what should I use to scan the pc and how often?
Thanks so much for your help!
MG
steamwiz
2007-08-05, 21:10
Hi
You're very welcome... :)
Have a look here at this article by TonyKlein ...So how did I get infected in the first place? :-
http://forums.spybot.info/showthread.php?t=279
Happy surfing
steam