PDA

View Full Version : Help Please, infected computer



40luv
2009-03-20, 08:37
Have a desk top PC with a warning that computer is infected. The desktop background color turned to black. There is a rectangular box in middle of screen that says "Dangerous Spyware" many viruses were found on your computer such as: Trojan Horse, PassCapture, etc.

Also i cannot get on the internet anymore. This hapenned as soon as Norton antivirus subscription expired and i did not renew, like an hour later. Thanks for any assistance you can give me.

shelf life
2009-03-21, 14:40
hi,

anyway you can transfer files to the infected computer via usb drive or even CD?


Also i cannot get on the internet anymore
try: start>run and type in iexplore.exe
see if IE launches. If so your first stop is for MBAM:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
*A restart may be required to finish the clean up process*
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply.
If you have transfer with a usb drive, post back first before doing it.

40luv
2009-03-22, 04:20
Thanks for responding. I ran mbam but in my excitement forgot to save the log. Is the log gone for good or can i retrieve from somewhere? Also after i rebooted to normal mode and updated mbam, i ran another full scan and this scan is taking forever. it's already over 2 hours and seems to be running slow. The initial scan in safe mode only took 49 minutes and it found over 200 malwares. Please advise, thanks again.

shelf life
2009-03-22, 04:29
hi,

you should find the MBAM logs here:

The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

The scan in normal mode could take some time. If it seems to stop then boot into safe mode to run it again.

make sure you do this part after a scan:

When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
If prompted to restart computer (to remove malware)please do so.
You have internet connectivity now?

40luv
2009-03-22, 06:56
Yes i can connect to internet now.

Here is the log after first scan in safe mode:

Malwarebytes' Anti-Malware 1.34
Database version: 1883
Windows 5.1.2600 Service Pack 3

3/21/2009 8:05:46 PM
mbam-log-2009-03-21 (20-05-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190106
Time elapsed: 49 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 18
Registry Values Infected: 37
Registry Data Items Infected: 12
Folders Infected: 2
Files Infected: 164

Memory Processes Infected:
C:\WINDOWS\Temp\F2AC.tmp (Backdoor.KeyStart) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Ron\Local Settings\Temp\ntdll64.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69198420-a2eb-4bf8-868c-3f9ec5ed168a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69198420-a2eb-4bf8-868c-3f9ec5ed168a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ocitoigs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ocitoigs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ocitoigs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{69198420-a2eb-4bf8-868c-3f9ec5ed168a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\14a506b1 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\14a506b1 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\14a506b1 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a0e410d3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosikoloko (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows resurections (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zyker6756max4hbi8c75m6dxe7pm5ym1xksvbo9b80xnt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ihe7k7oawhumif4o8dcv2ongfs2mrrnnzgd4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ou8thr8z44cgh5hvl4al76kxyzdalw (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4ikpy0l6w3bv0vm47lr9nkskhmvs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pidibzfhsgcan61qd3wsavopw1dm815exazyvp99fwlyh6z (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vmls4609thbysygmd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\r5dvwl3uj1k5hztqr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nmwlx62ovko350r3s3udlz31opq611ap25l0d58pdhsleu6ee (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ycyn9auzigwv5wyktor (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zlm9ray3un (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nz19y26oao3efc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\q0zvx7hwscaudda1p9uoisludg8qm9711e (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jznt6ql692kxfq621zf1803lk7rbh15wgeu5nm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ortu6drreblz9nu3burk8mz7q8k (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ra15d3sf4ow99lhdovwec1paqw (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\onzt7mjv29c7avgpkts676u2ddkqmg4orxn7nb5scoft10 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdh1cwihrhrfv5i3j0cubloizdtk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doo6b3bwxa (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sb9almf5ls64hvv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cymt4wo1ce6kwvm6si3mak (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qx0x3ynvkt1kak9zrr2bzef07fi5x3fg95py8gexwppb0 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vpykmp90ab2wt3 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjnoz0riwnb8dxcpr4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o8374sy3v83rfacivlqs5s1gzs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxntdtebfpjx96rlpg408kguh5pdoxyrtozgjyoxjy52hvr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lz5x9yw4pa4cwlb7bsl23i54g (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mf1m7lo7t012p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a7vbiwclk02clsnijjasuqpkljhg5nu032b8ps71th4b8ljie (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nc4ghimhp4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsuyobifama (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwotikiyi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntiVirGear 3.8 (Rogue.AntiVirGear) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-1052116379-181863308-1851 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\kemuboti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\itobumek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rugahojo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\witukezo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Ron\Local Settings\Temp\ntdll64.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Temp\F2AC.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\j0kye.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\kocemzdsud.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\gyjpqubim.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\b1n73k6bl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\fqipgzj68w5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ywb7nlu8skcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\uhuqz5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\pd1afa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\1024051776.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\cgflne.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\plpvd48.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\i6aznm5v6vm2a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\z0wrq80x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\itbsbtui9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ps1duoo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\o6jxtr1w.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\k1o3zldgscnpu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\o87co8pi.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\n6m3ba2qf1e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wrpe0v8py.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\onwfg0zg0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\civg9ta8j.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\aemyn5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wmvb1v5a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\on2wqh1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\bmiffhab.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\bdk2ew.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\y427bonsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\kocs28.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\oayogq0qwy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\xtb22f10zso85.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\iqsiz8y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\vt5xib0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wkav9bks.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\r07jkcsh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\nlx56vpeih8n.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\a9pd02c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\cmnd2qdi03azc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zogtgbkyeryy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\hxvt4id8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\dievxjhut4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\esjtoj15uyc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\wo7d4oswdso.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\khlggeb6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zk4hjl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zuzkpieri4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\qvmu5l.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ft3bzbhkg5o84.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ua3st1frdn5h.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\rcw87m37rbt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\jdw939p1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\fymvpsmyz5bl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\n2yu9nv7gbzs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\mstwinbwfh4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\uwmc2ik5wns.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\b9adcd93cz.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\xqemdtbe1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\a09629svu5ami.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\zq48bs8ktbfh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\hug7cnhtah3o.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ljsppj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ohzsuyn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ifxdbt70.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\o5mr11klp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\g1tb06bv8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ztodx9rbs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\f1q084.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\c3jxmprsljgyg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\u491bbnxndfl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\szdykx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Wlutoyamuzag.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\frmwrk32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\ieghyv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\kfnuc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\mtaueu.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\sjsocfq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\sxprfkgw.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\tlgvlvdw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\tunvfcbl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\vbmbpkar.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\vvpjmgd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\wkaqjah.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\wwypotq.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\ntdll64.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\2EL33V5P\730f[1].exe (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M9YLIR0L\nyfa32[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\005.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\1021708026.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\146.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\222169550.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\333218676.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\354624926.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\51700800.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\81.tmp (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\D1F1.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\ky59htvba.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\rip10.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\ccsuper0[1].htm (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\ccsuper1[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\exylmmm[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\loaderadv563[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1751WMNT\wgpqnrfsc[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1XOFHTMU\ccsuper2[1].htm (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1XOFHTMU\mjgthh[1].htm (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\1XOFHTMU\pzwwkk[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\60070WQ5\ccsuper0[1].htm (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\60070WQ5\mjgthh[1].htm (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\60070WQ5\ports[1].exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\ccsuper1[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\ccsuper2[1].htm (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\fmvff[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\A4ICSY8T\wtddrrsfg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\ONS9ADUG\730f[1].exe (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\ONS9ADUG\730f[2].exe (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\ONS9ADUG\fmvff[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\T31OUAEX\style[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\T31OUAEX\wtddrrsfg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\T31OUAEX\xdqrr[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\W3B5MMM2\ccsuper3[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\W3B5MMM2\exylmmm[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\Z171Q835\pzwwkk[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\Z171Q835\wgpqnrfsc[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\Z171Q835\xdqrr[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-1052116379-181863308-1851\vsexy1.exe (Trojan.Injector) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-8518236536-7216142548-619037727-7372\service.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bdmaud.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dalefuve.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rilajezo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yoyorena.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zukepive.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\14a506b1.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1233011935exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1699953497exe. 1444 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\33B3.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\343A.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3995.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4800.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\742648650exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8840.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8976.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9322.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ED97.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\F0E9.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\FF64.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Program Files\AntiVirGear 3.8\ignored.lst (Rogue.AntiVirGear) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-1052116379-181863308-1851\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\axacatev.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32:ydaa.dll (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\svchost.exe:ext.exe (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Ron\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.

40luv
2009-03-22, 06:59
Hello again,

Here is the log after second scan in normal mode...took over 4 hours!

Malwarebytes' Anti-Malware 1.34
Database version: 1883
Windows 5.1.2600 Service Pack 3

3/22/2009 12:35:45 AM
mbam-log-2009-03-22 (00-35-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182734
Time elapsed: 4 hour(s), 19 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.

shelf life
2009-03-22, 15:41
hi,

thats quite a load you had. How long has your machine been like this? You had some processes that may have allowed remote access to your machine.

We will get one more download to use. Its called combofix. There is a guide to read first. Read the guide, download combofix to your desktop, disable any AV as explained in the guide, double click the icon and follow the prompts.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

40luv
2009-03-22, 16:40
Hi.

Yes i thought that was a lot. Computer was only unusable (couldn't access internet) a couple days ago.

Remote access sound scary and bad.

I will try downloading combofix.

P.S
I know we prolly should tackle 1 issue at a time but i'd like to ask this question. When i double click on Mozilla Firefox from my desktop i get the following alert!

"Could not initialize the application security component. Most likely cause is problems with files in your application profile directoy. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full"

Then when i try to log on to anything that requires signing on i.e. Aol mail, online banking i get a Secure Connection Failed error message. see below

Secure Connection Failed

An error occurred during a connection to my.screenname.aol.com.

Can't connect securely because the SSL protocol has been disabled.

(Error code: ssl_error_ssl_disabled).

Any ideas? Thanks again.

40luv
2009-03-22, 17:13
Here is combofix log:

ComboFix 09-03-19.02 - Ron 2009-03-22 10:58:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.229 [GMT -4:00]
Running from: c:\documents and settings\Ron\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\nsv
c:\documents and settings\All Users\Application Data\nsv\cache\400.dfn
c:\documents and settings\All Users\Application Data\nsv\cache\404.dfn
c:\documents and settings\All Users\Application Data\nsv\keys.dat
c:\documents and settings\All Users\Application Data\nsv\wmv0104.dbd
c:\documents and settings\All Users\Application Data\nsv\wmv0106.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0204.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0412.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0504.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0904.ddx
c:\windows\system32\bsnzafqa.bin
c:\windows\system32\cfg.dat
c:\windows\system32\ofeyahij.ini
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\whcc-giant.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_icf


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-22 09:33 . 2009-03-22 09:33 <DIR> d-------- c:\program files\CCleaner
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\program files\Unlocker
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\documents and settings\Ron\Application Data\Desktopicon
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\Ron\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-21 17:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-17 17:31 . 2009-03-17 17:31 95,232 --a------ C:\fntq.exe
2009-03-17 17:27 . 2009-03-17 17:27 10,240 --a------ c:\windows\instsp2.exe
2009-03-17 17:27 . 2009-03-17 17:30 2 --a------ C:\-1595666308

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 15:03 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-03-22 05:58 --------- d-----w c:\program files\PokerStars
2009-03-22 05:57 --------- d--h--r c:\documents and settings\Ron\Application Data\yahoo!
2009-03-22 05:57 --------- d-----w c:\program files\Yahoo!
2009-03-22 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-03-22 05:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 05:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-17 17:05 --------- d-----w c:\program files\UltimateBet
2006-04-17 23:14 5,959 ----a-w c:\documents and settings\Incomplete\downloads.dat
2008-09-09 00:11 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
2005-06-19 03:42 546,750 --sh--w c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
2005-06-20 17:20 545,827 --sh--w c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
2005-06-21 11:27 551,582 --sh--w c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-29 180269]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-08-20 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\dalefuve.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\reader_sl.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-28 24652]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ocitoigs
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-UltimateBuddy - c:\program files\UltimateBuddy\UltimateBuddy.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
FF - ProfilePath - c:\documents and settings\Ron\Application Data\Mozilla\Firefox\Profiles\jl0573rw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 11:02:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\lu.dat:faykat 16384 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-22 11:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 15:08:43

Pre-Run: 14,255,632,384 bytes free
Post-Run: 14,791,856,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

164 --- E O F --- 2009-03-15 07:03:48

shelf life
2009-03-22, 19:42
Computer was only unusable (couldn't access internet) a couple days ago.
the malware could have been using your internet access the whole time.

we will use combofix to remove some files: dont forget to disable AV first

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
C:\fntq.exe
c:\windows\instsp2.exe
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

do a online scan here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

For the SSL problem take a look here:
look under:
Check your SSL settings

http://support.mozilla.com/en-US/kb/Firefox+cannot+connect+securely+because+the+SSL+protocol+is+disabled

most likely you do not use a proxy so you can skip that part

40luv
2009-03-22, 22:11
I know what and where to get the combofix log. What is and where do i find the new hjt log. I just wanna make sure i follow ur directions fully. Thanks again.

40luv
2009-03-22, 22:22
Here is new Combofix log:

ComboFix 09-03-19.02 - Ron 2009-03-22 16:07:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.243 [GMT -4:00]
Running from: c:\documents and settings\Ron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ron\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\fntq.exe
c:\windows\instsp2.exe
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fntq.exe
c:\windows\instsp2.exe
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak1
c:\windows\SYSTEM32\DRIVERS\lmxlitu.bak2
c:\windows\SYSTEM32\DRIVERS\lmxlitu.ini2

.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-22 09:33 . 2009-03-22 09:33 <DIR> d-------- c:\program files\CCleaner
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\program files\Unlocker
2009-03-22 02:28 . 2009-03-22 02:28 <DIR> d-------- c:\documents and settings\Ron\Application Data\Desktopicon
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\Ron\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-03-21 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-21 17:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-21 17:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-17 17:27 . 2009-03-17 17:30 2 --a------ C:\-1595666308

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 19:35 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-03-22 16:00 --------- d-----w c:\program files\UltimateBet
2009-03-22 05:58 --------- d-----w c:\program files\PokerStars
2009-03-22 05:57 --------- d--h--r c:\documents and settings\Ron\Application Data\yahoo!
2009-03-22 05:57 --------- d-----w c:\program files\Yahoo!
2009-03-22 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-03-22 05:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 05:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-17 21:29 14,336 ----a-w c:\windows\SYSTEM32\svchost.exe
2009-03-17 21:29 14,336 ----a-w c:\windows\SYSTEM32\DLLCACHE\svchost.exe
2009-03-17 21:27 101,376 --sha-w c:\windows\SYSTEM32\molezovu.dll
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-01-17 02:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2006-04-17 23:14 5,959 ----a-w c:\documents and settings\Incomplete\downloads.dat
2008-09-09 00:11 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-29 180269]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-08-20 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\reader_sl.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-28 24652]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ocitoigs
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
FF - ProfilePath - c:\documents and settings\Ron\Application Data\Mozilla\Firefox\Profiles\jl0573rw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 16:11:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\lu.dat:faykat 16384 bytes executable


**************************************************************************
.
Completion time: 2009-03-22 16:15:51
ComboFix-quarantined-files.txt 2009-03-22 20:14:34
ComboFix2.txt 2009-03-22 15:09:38

Pre-Run: 14,967,021,568 bytes free
Post-Run: 14,953,697,280 bytes free

132 --- E O F --- 2009-03-15 07:03:48

I will wait for your reply to above post regards hjt file unless i can figure it out...lol.

shelf life
2009-03-23, 01:57
hi,

looks good. did you do the online scan? You can post a hjt log like this:

download HJTInstall.exe

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log

40luv
2009-03-23, 16:54
Hello again.

Sorry for late response, had to step away for a bit.

Here is Eset online scan log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3954 (20090323)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=c5c854b17ced07458dfe6bad4bb97301
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-23 02:27:18
# local_time=2009-03-23 10:27:18 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=395989
# found=21
# scan_time=3927
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »GetAccess.class Java/TrojanDownloader.OpenConnection.AJ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »Installer.class Java/TrojanDownloader.OpenConnection trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Lindsey(3)\Application Data(2)\Sun(2)\Java(2)\Deployment(2)\cache\javapi\v1.0\jar\jrl.jar-1a4a38bb-31687f54.zip »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Ron\Application Data\Sun\Java\Deployment\cache\6.0\53\6af78fb5-629081ca Java/TrojanDownloader.OpenStream.Y trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Ron\Application Data\Sun\Java\Deployment\cache\6.0\53\6af78fb5-7616ddb2 Java/TrojanDownloader.OpenStream.Y trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Ron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-40baf3a5-7fc991e0.class Java/TrojanDownloader.OpenStream.Y trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\8A94D427-D214-44DB-BE80-2B5FAF\090ACE6B-6603-4E96-8DC5-1DAFB8 Win32/TrojanDownloader.IstBar trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\9852C1E8-6DC0-412F-AB17-6D40C9\7BFEAC94-D6CF-43AC-A653-C2A8EA Win32/Adware.180Solutions application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\B08FCA77-015A-4071-AC2E-B9822D\EC3EFBE2-8E75-4914-989F-7D7CFC a variant of Win32/TrojanDownloader.IstBar trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\B6F13831-B33A-47E3-8D22-824F56\7D711E8B-497E-4395-940E-A57FB9 Win32/TrojanDownloader.IstBar.gen trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Microsoft AntiSpyware\Quarantine\DBBCF7A0-780C-4678-8DA8-F20264\D4EBDB80-FE45-4C61-8EDB-4209AC Win32/Adware.WinAd application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\fntq.exe.vir Win32/AutoRun.Agent.LT worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\instsp2.exe.vir a variant of Win32/TrojanDownloader.Agent.OWQ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\userinit.exe.vir Win32/FakeInit.I trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001430.exe Win32/FakeInit.I trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001431.exe Win32/FakeInit.I trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001558.exe Win32/AutoRun.Agent.LT worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001559.exe a variant of Win32/TrojanDownloader.Agent.OWQ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Downloaded Program Files\WinTaskAdX.dll a variant of Win32/Adware.WinAd application (unable to clean - deleted) 00000000000000000000000000000000


Will do the HJT log next.

40luv
2009-03-23, 17:43
Here is Hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:05 AM, on 3/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124415122515
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7632 bytes

shelf life
2009-03-23, 23:00
ok good. we will use hjt:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O2 - BHO: (no name) - rsion - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Ron\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

C:\Program Files\Ares: there is plenty of malware that is distibuted via p2p networks. If you have uninstalled Ares its possible this service got left behind. we can remove it.

post a service list like this:

Go to Start > Run and type:

cmd.exe

and click ok. Copy and paste the line below at the prompt > and click enter


sc query > c:\services.txt & start notepad c:\services.txt

notepad will open with a windows service list. please copy/paste the list in reply.

40luv
2009-03-23, 23:24
Here is service list log:


SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Apple Mobile Device
DISPLAY_NAME: Apple Mobile Device
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME: Fast User Switching Compatibility
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: HidServ
DISPLAY_NAME: HID Input Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: iPod Service
DISPLAY_NAME: iPod Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: lanmanworkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Nla
DISPLAY_NAME: Network Location Awareness (NLA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: NVSvc
DISPLAY_NAME: NVIDIA Driver Helper Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Pml Driver HPZ12
DISPLAY_NAME: Pml Driver HPZ12
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: seclogon
DISPLAY_NAME: Secondary Logon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SharedAccess
DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Viewpoint Manager Service
DISPLAY_NAME: Viewpoint Manager Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: w32time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

Thanks

shelf life
2009-03-24, 03:23
ok thanks for the info
You can remove combofix like this:
start>run
type in:
combofix /u
click ok or enter
Note: a space after the x and before the /

Post another hjt log. Do you use Ares?

40luv
2009-03-24, 04:05
Do i have to remove the combofix, just trying to clarify? will wait for response

I did and have used Ares but i deleted it yesterday.

40luv
2009-03-24, 05:07
Hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:29 PM, on 3/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124415122515
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6903 bytes

shelf life
2009-03-24, 23:31
Hi,

Combofix shouldn't be used by individuals unless you know what you are doing. Its a tool to help in the removal of malware, its not a scanner like MBAM is.
MBAM is excellent, always check for updates before using it. Its good practice to keep it (and all software) updated even if you dont scan that much.

Looks like a service may have been left behind:
look in C:/Program Files/Ares
you can delete the Ares folder.

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

Hows it all looking on your end now?

40luv
2009-03-25, 02:41
Hi,

Thank you for your assistance, much appreciated.

I uninstalled combofix.
I deleted the Ares folder.
I fixed checked the 023 from the hjt scan.

It's looking good at this end, even resolved the firefox ssl protocol problem.

Any suggestions for real time anti virus?

Thanks again.

shelf life
2009-03-25, 03:03
your welcome. For AV I like free myself.
AVG:
http://free.avg.com/

AVAST:
http://www.avast.com/

AVIRA:
http://www.free-av.com/en/download/index.html

CLAMWIN:
http://www.clamwin.com/content/view/18/46/

You can make a new restore point. The how and why:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

If all is good, some info for you:

Reducing Your Risk To Malware:
The Short Version:

1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) If your habits include: warez, cracks etc or you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

40luv
2009-03-25, 05:00
Thanks for the recommendations.

I am logged on as the administrator but when i right click on My Computer>Properties, there is no system restore tab!

I was able to get to system restore via Start>Help and Support>System Restore>System Restore Settings and the check and unckecked "Turn Off System Restore". Is this ok.

Why did i not get the system restore tab? (see paragraph 2)

Also why can i not turn on Automatic Updates in Windows Security Center, Firewall is on.

40luv
2009-03-25, 05:05
I'm liking mbam, i'm gonna run it daily.

Will Perform quick scan be sufficient or should i run Full scan everytime.

I'm learning Tks again.

shelf life
2009-03-27, 00:26
hi,

dont know why theres no tab. the other way will work fine also for making a new restore point.


Automatic Updates
go to start>run and type in cmd
at the prompt >_
copy paste whats below and press enter
close the window
reboot computer
see if you can start Auto updates


sc start bits




quick scan be sufficient or should i run Full scan everytime
I suppose everyday a quick scan would do, and maybe a full scan once a week or so. It really depends on your computing habits. Read through that top 10 list I posted. The paid version of MBAM offers autoupdates and real time protection.

40luv
2009-03-27, 02:31
Hi,

I followed ur direction,

go to start>run and type in cmd
at the prompt >_
copy paste whats below and press enter
close the window
reboot computer
see if you can start Auto updates

I get a message "The system cannot find the file specified"

shelf life
2009-03-27, 03:35
ok do this instead. start>run and type in services.msc
click ok
the Windows service panel will open
under the name column look for:

Background Intelligent Transfer Service

right click on it and select properties.
under the general tab:

the Startup type should be: Automatic. If its not change it
The Service Status should say Started, if its not change it
by clicking the Start button
click ok
reboot computer

see if that solves it.

40luv
2009-03-27, 14:28
No it did not solve it, I got the following error message:

Could not start the Background Intelligent Transfer Service service on local computer.

Error 2: The system cannot find the file specified

shelf life
2009-03-27, 23:53
ok try this also;

start>run and type in cmd
click ok or enter
at the prompt >_
copy/paste in the code below and click enter;
close window, reboot, cross fingers


sc start wuauserv

40luv
2009-03-28, 00:13
This is what i got,


StartService Failed 1058:

The service cannot be started, either because it is disabled or either because it has no enabled devices associated with it.

40luv
2009-03-28, 00:17
Seems like something is missing and or i'm not being recognized as administrator although i am log in as such.

shelf life
2009-03-28, 14:11
no joy yet.

see if you can stop and start system beep;

at the >_ prompt like before type:

sc stop beep

the "state" in the list should say: stopped

then
sc start beep

the state should return: running

You may get some more helpful info if you go to the windows update website.
with BITS not running it should fail there also. You may get some error messages from the web site that may provide a solution.

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

Also please post another hjt log

40luv
2009-03-28, 14:37
This is what i got:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Ron>sc stop beep

SERVICE_NAME: beep
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

40luv
2009-03-28, 14:45
Here is Hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:48 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124415122515
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7096 bytes

shelf life
2009-03-29, 04:26
ok it stopped. You can do sc start beep to get it going.

since that appears ok then I wouldnt think you should have any problem starting the BITS or wuauserv service, which requires you to be admin.

did you visit windows updates for any suggestions on the error messages?

you might also try sfc /scannow

Look here for a guide:
http://www.updatexp.com/scannow-sfc.html

40luv
2009-03-30, 23:50
Okay well i have followed everything you've instructed (and i thank you) but nothing seems to be working.
I have gone the windows update site but it cannot/will not update my system and when i try to do as the website directs, i get an "access denied".

I'm very frustrated at this point.

Firefox seems to be running okay, but there is some websites i visit that i need Explorer.

How do i do a complete reload. By that i mean wipe everything out then reinstall original files. i have the system disk from purchase of pc. Thanks.

shelf life
2009-03-31, 00:51
Your welcome. Sorry I couldnt resolve it for you. Your best bet for doing a re-install would be the computer manuf. website. I build my own and have never used a recovery CD or recovery partition on a hard drive. It may be as easy as popping in the CD and picking a option from the list.
Most commercial computer vendors maintain informative web sites with helpful information. Read up on the info first. You might have several options;

Reinstall Windows
Reformat and reinstall Windows
Restore to factory defaults.

For sure the second option will wipe the Hard Drive. The other two may retain your data. This is the info you want to know before preceding. As a precaution for all of them you might want to pull off any data that you created and you dont want to lose, like documents, photos etc. USB flash drives are inexpensive and can hold up to GB's of data. Burning CD's are another option. There are also online storage sites that you can upload data to. The one I use is kind of slow as it transfers via Java applet, but its free up to 50GB: http://www.adrive.com/plans
Spend some time at your computer vendors website before you proceed.
When all is done make Windows update your first stop. If I can help you feel free to post back.