View Full Version : Need Help Getting Rid of Virtumonde
jerseynomore
2008-02-09, 05:31
Hello,
My computer has become infected with Virtumonde. McAfee says it has been removed but Spy-Bot is still picking it up and cannot fix it. I've been trying to get rid of this for 3 days :mad:- nothing is working!
Here is the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:11 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Documents and Settings\Corinne Groth\My Documents\My Music\limewire\LimeWire.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\PeoplePC\ISP6600\Browser\Bartshel.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\PeoplePC\ISP6600\Browser\Bartshel.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\PeoplePC\ISP6600\Browser\PPShared.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\Updates\sbsd152upd.exe
C:\DOCUME~1\CORINN~1\LOCALS~1\Temp\is-CRI81.tmp\sbsd152upd.tmp
C:\WINDOWS\system32\taskmgr.exe
c:\PROGRA~1\mcafee\mpf\mc\mpfalert.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6600\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [a415e5ed] rundll32.exe "C:\WINDOWS\system32\tqpabrrk.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Corinne Groth\My Documents\My Music\limewire\LimeWire.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ListGrabber Standard 4.0 - {1B617093-5CD4-42f5-91CA-AD1004C83588} - C:\Program Files\eGrabber\ListGrabber Standard 4.0\InternetAddress.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2CE8DDC-B1DE-4436-B16F-00FA430F52B3}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11386 bytes
The Kaspersky Online Scanner will not launch.
Any help will be greatly appreciated! Thanks!
jerseynomore
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Please download SuperAntiSpyware Free (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
jerseynomore
2008-02-10, 00:51
Hello,
Thank you for responding and for your assistance.
Here is the SuperAntiSpyware Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/09/2008 at 04:31 PM
Application Version : 3.9.1008
Core Rules Database Version : 3399
Trace Rules Database Version: 1391
Scan type : Complete Scan
Total Scan Time : 00:53:54
Memory items scanned : 650
Memory threats detected : 3
Registry items scanned : 5437
Registry threats detected : 10
File items scanned : 34106
File threats detected : 211
Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\MLJJI.DLL
C:\WINDOWS\SYSTEM32\MLJJI.DLL
HKLM\Software\Classes\CLSID\{C102E2A6-F077-4F44-A419-7B906BE57C0A}
HKCR\CLSID\{C102E2A6-F077-4F44-A419-7B906BE57C0A}
HKCR\CLSID\{C102E2A6-F077-4F44-A419-7B906BE57C0A}\InprocServer32
HKCR\CLSID\{C102E2A6-F077-4F44-A419-7B906BE57C0A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C102E2A6-F077-4F44-A419-7B906BE57C0A}
Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\MSACGKCY.DLL
C:\WINDOWS\SYSTEM32\MSACGKCY.DLL
HKLM\Software\Classes\CLSID\{8adb7034-e9b2-45d9-871d-ec94e696d359}
HKCR\CLSID\{8ADB7034-E9B2-45D9-871D-EC94E696D359}
HKCR\CLSID\{8ADB7034-E9B2-45D9-871D-EC94E696D359}\InprocServer32
HKCR\CLSID\{8ADB7034-E9B2-45D9-871D-EC94E696D359}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8adb7034-e9b2-45d9-871d-ec94e696d359}
C:\WINDOWS\SYSTEM32\AFRYJGQW.DLL
C:\WINDOWS\SYSTEM32\DROSWCAC.DLL
C:\WINDOWS\SYSTEM32\JPUPGXNE.DLL
C:\WINDOWS\SYSTEM32\QHANSHJY.DLL
C:\WINDOWS\SYSTEM32\RJVVAPDE.DLL
C:\WINDOWS\SYSTEM32\TQPABRRK.DLL
C:\WINDOWS\SYSTEM32\UMVYOMUA.DLL
C:\WINDOWS\SYSTEM32\YOWEBLBI.DLL
Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\SSLDEYBA.DLL
C:\WINDOWS\SYSTEM32\SSLDEYBA.DLL
Adware.Tracking Cookie
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@secure.systemerrorfixer[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@bestsellerantivirus[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@winanonymous[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@login.tracking101[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@www.incentaclick[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adinterax[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@bizadverts[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@statsgod[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@trustedantivirus[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@cpvfeed[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@systemerrorfixer[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@richmedia.yahoo[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@incentaclick[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@advancedcleaner[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@imrworldwide[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@clickbank[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@directtrack[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@questionmarket[5].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@2o7[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@2o7[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@2o7[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adbrite[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adbrite[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adopt.euroclick[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adopt.euroclick[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adopt.specificclick[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adopt.specificclick[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@adopt.specificclick[4].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ads.addynamix[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ads.pointroll[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ads.pointroll[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ads.realtechnetwork[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ads.realtechnetwork[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ads.revsci[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ads.revsci[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@advertising[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@advertising[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@aff.primaryads[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@atdmt[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@atdmt[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@bjmediationservices[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@bookspan.122.2o7[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@burstnet[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@clickbank[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@clickbank[4].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@directtrack[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@ge.112.2o7[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@h.starware[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@h.starware[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@h.starware[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@h.starware[4].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@h.starware[6].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@idicampaigns.directtrack[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[10].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[11].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[4].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[5].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[6].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[7].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[8].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@linksynergy[9].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@livemercial.112.2o7[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@network.realmedia[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@overture[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@overture[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@overture[4].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@partner2profit[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@questionmarket[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@questionmarket[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@questionmarket[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@realmedia[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@revenue[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@revsci[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@revsci[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@revsci[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@richmedia.yahoo[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@richmedia.yahoo[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@roiservice[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@samsclub.112.2o7[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@serving-sys[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@serving-sys[3].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@specificclick[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@specificclick[2].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@statse.webtrendslive[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@tacoda[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@trafficmp[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@www.burstbeacon[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@www.burstnet[1].txt
C:\Documents and Settings\Corinne Groth\Cookies\corinne_groth@www.oberon-media[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn groth@stats.crayola[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@2o7[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@2o7[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@ad.yieldmanager[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@ad.yieldmanager[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adbrite[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adecn[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adlegend[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adlegend[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adlegend[4].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adopt.euroclick[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adopt.euroclick[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@adopt.specificclick[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@ads.adbrite[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@ads.adbrite[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@ads.pointroll[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@advertising[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@advertising[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@advertising[4].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@apmebf[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@apmebf[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@ar.atwola[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@atdmt[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@atdmt[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@bluestreak[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@burstnet[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@casalemedia[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@citi.bridgetrack[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@collective-media[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@ehg-viacom.hitbox[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@enhance[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@fastclick[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@fastclick[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@hitbox[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@htmlgear.tripod[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@login.tracking101[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@media.adrevolver[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@media.adrevolver[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@media.adrevolver[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@media.adrevolver[4].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@media.mtvnservices[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@mediaplex[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@mediaplex[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@msnportal.112.2o7[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@overture[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@partner2profit[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@precisionclick[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@questionmarket[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@questionmarket[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@questionmarket[4].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@realmedia[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@specificclick[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@specificclick[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@specificclick[4].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@statcounter[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@statsgod[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@statsgod[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@tacoda[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@tacoda[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@trafficmp[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@trafficmp[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@tremor.adbureau[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@tribalfusion[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@tribalfusion[2].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@tribalfusion[3].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@tribalfusion[4].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@www.googleadservices[1].txt
C:\Documents and Settings\Eryn Groth\Cookies\eryn_groth@zedo[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@ad.yieldmanager[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@adlegend[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@adopt.euroclick[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@adrevolver[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@advertising[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@advertising[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@advertising[3].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@atdmt[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@atdmt[3].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@bluestreak[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@bs.serving-sys[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@casalemedia[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@doubleclick[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@doubleclick[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@eyeblast.adbureau[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@fastclick[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@fastclick[3].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@imrworldwide[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@media.adrevolver[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@mediaplex[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@mediaplex[3].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@partner2profit[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@precisionclick[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@questionmarket[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@realmedia[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@realmedia[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@specificclick[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@tacoda[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@trafficmp[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@trafficmp[3].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@tribalfusion[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@tribalfusion[2].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@tribalfusion[4].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@wegmansfoods.112.2o7[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@yieldmanager[1].txt
C:\Documents and Settings\Robert Groth\Cookies\robert_groth@zedo[2].txt
Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\CORINNE GROTH\FAVORITES\ONLINE SECURITY TEST.URL
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\IJJLM.INI
jerseynomore
2008-02-10, 00:53
Hi Again, I guess this is too long to post in one reply
Here is the ComboFix Log:
ComboFix 08-02.05.3 - Corinne Groth 2008-02-09 17:15:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]
Running from: C:\Documents and Settings\Corinne Groth\Local Settings\Temporary Internet Files\Content.IE5\NE42G58T\ComboFix[1].exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\mljji.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aumoyvmu.ini
C:\WINDOWS\system32\cacwsord.ini
C:\WINDOWS\system32\edpavvjr.ini
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\krrbapqt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\yckgcasm.ini2
C:\WINDOWS\system32\yckgcasm.tmp
C:\WINDOWS\system32\yjhsnahq.ini
----- BITS: Possible infected sites -----
hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.
2008-02-09 15:27 . 2008-02-09 16:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-09 15:27 . 2008-02-09 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-09 15:26 . 2008-02-09 15:26 <DIR> d-------- C:\Documents and Settings\Corinne Groth\Application Data\SUPERAntiSpyware.com
2008-02-08 21:13 . 2008-02-08 21:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 21:39 . 2008-02-06 21:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-06 20:06 . 2006-04-10 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-02-05 16:41 . 2008-02-05 16:47 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-02-05 16:41 . 2008-02-05 16:41 <DIR> d-------- C:\temp\isgTi19
2008-01-26 16:36 . 2008-01-26 16:36 63,624 --a------ C:\Documents and Settings\Corinne Groth\Application Data\GDIPFONTCACHEV1.DAT
2008-01-24 11:34 . 2008-01-24 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 20:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 14:21 --------- d-----w C:\Documents and Settings\Corinne Groth\Application Data\AdobeUM
2008-02-08 02:49 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-04 03:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-03 19:53 39,564 ----a-w C:\Documents and Settings\Corinne Groth\Application Data\wklnhst.dat
2008-01-30 22:34 --------- d-----w C:\Program Files\PhoTags Express
2008-01-29 02:40 --------- d-----w C:\Documents and Settings\Corinne Groth\Application Data\ListGrabber Standard 4.0
2008-01-18 17:05 --------- d-----w C:\Program Files\McAfee
2008-01-15 20:21 --------- d-----w C:\Documents and Settings\Robert Groth\Application Data\SiteAdvisor
2008-01-06 20:26 --------- d-----w C:\Program Files\Lavasoft
2007-12-30 16:34 --------- d-----w C:\Program Files\MSN Games
2007-12-28 18:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-27 16:00 --------- d-----w C:\Program Files\Maxis
2007-12-21 18:32 2,924 ----a-w C:\Documents and Settings\Eryn Groth\Application Data\wklnhst.dat
2007-11-04 23:35 636 ----a-w C:\Documents and Settings\Robert Groth\Application Data\wklnhst.dat
2007-10-10 00:32 63,624 ----a-w C:\Documents and Settings\Eryn Groth\Application Data\GDIPFONTCACHEV1.DAT
2006-07-03 18:41 56 --sh--r C:\WINDOWS\system32\FE721DDE30.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48 36975]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-10 23:23 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-10 23:23 98304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 15:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 16:05 1537696]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20 110592]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06 106496]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36 114688]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-02-08 21:39 36904]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 00:22 57344]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"Bart Station"="C:\Program Files\PeoplePC\ISP6600\BIN\PPCOLink.exe" [2007-08-07 11:22 25944]
"a415e5ed"="C:\WINDOWS\system32\msacgkcy.dll" [ ]
C:\Documents and Settings\Corinne Groth\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Documents and Settings\Corinne Groth\My Documents\My Music\limewire\LimeWire.exe [2007-09-17 09:19:14 147456]
WkCalRem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-10-07 16:35:12 21504]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-10 23:20:21 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Contents of the 'Scheduled Tasks' folder
"2007-02-28 01:44:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-02-28 01:44:25 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 17:30:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\PeoplePC\ISP6600\Browser\Bartshel.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\PeoplePC\ISP6600\Browser\PPShared.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-02-09 17:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 22:35:15
.
2008-01-10 01:31:28 --- E O F ---
jerseynomore
2008-02-10, 00:57
And here is the latest Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:43 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeoplePC\ISP6600\Browser\Bartshel.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Corinne Groth\My Documents\My Music\limewire\LimeWire.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\PeoplePC\ISP6600\Browser\PPShared.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6600\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [a415e5ed] rundll32.exe "C:\WINDOWS\system32\msacgkcy.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Corinne Groth\My Documents\My Music\limewire\LimeWire.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ListGrabber Standard 4.0 - {1B617093-5CD4-42f5-91CA-AD1004C83588} - C:\Program Files\eGrabber\ListGrabber Standard 4.0\InternetAddress.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11363 bytes
There was one thing I was not sure about. After ComboFix rebooted the computer, a message came popped up after the computer came back up and I logged in: "Error Loading C:\windows\system32\msacgkcy.dll The specified module could not be found. Is this OK?
Again, thank you very much for all your help.
Hello,
The error your getting is related to Vundo , this will fix it.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKLM\..\Run: [a415e5ed] rundll32.exe "C:\WINDOWS\system32\msacgkcy.dll",b
O8 - Extra context menu item: &Search - ?p=ZJ
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Go to this site Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to this file
C:\WINDOWS\system32\FE721DDE30.sys
Then click on Submit and it will give you a report, post the report in your next reply.
How is your system running now???
jerseynomore
2008-02-10, 02:30
Hello,
I have deleted the files you listed with the Hijack this, and downloaded and ran the CCleaner.
When I went to the Jotti Upload and browsed for the file you mentioned, C:\windows\system32\FE721DDE30.sys, there was no file with this name. What should I do?
My computer is running MUCH MUCH better now...I'm so happy I could cry, this has aggravated me to no end since Wednesday! You are the best! Let me know what I should do about that file I can't find.
Thanks!
Try this, if you still can't find it then it may be gone.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidentally being deleted.
jerseynomore
2008-02-10, 02:58
Hello,
That worked - I found it.
Here is the report from the Jotti Upload:
Service load: 0% 100%
File: FE721DDE30.sys
Status: OK
MD5: 211be947c51b27a3a95adeab19550296
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 10 Feb 2008 00:51:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Thank you again! Let me know if I need to do anything else.
Hello,
That file does not appear to be a threat, everything else looks good :bigthumb: Please don't cry anymore :funny:
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.12 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Glad we could help
Safe Surfn
Ken