There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
audio avg avg 8 backup bios boot browser bsod computer cpu crash css desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze game graphics hard drive hardware help please hijackthis hjt install internet internet explorer itunes javascript keyboard lan laptop malware missing monitor msn network networking openoffice outlook outlook 2003 outlook express php popups problem router screen seo slow sound sp3 spyware trojan usb video virtumonde virus vista vundo windows windows vista windows xp wireless word
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: Vundo, AntiSpySpider, Zlob infection on Vista Laptop


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
TisiRaptor's Avatar
Junior Member with 4 posts.
  
Join Date: May 2008
Location: Midlands, UK
Experience: Advanced
12-May-2008, 03:51 PM #1
Solved: Vundo, AntiSpySpider, Zlob infection on Vista Laptop
Hi,

My son downloaded and installed a video codec yesterday, only it turns out not to have been a codec after all! His laptop has Windows Vista Home on it and his AV is McAfee SecurityCenter 8.1, with VirusScan 12.1 and Personal Firewall 9.1. He keeps this regularly updated.

When he tried to install the codec McAffe alerted him to a PUP trying to access the internet. Because he was (so he thought) installing a codec he thought that McAfee had got it wrong so he allowed access to the internet. He immediately realised his mistake but it was too late. Straight away he started getting pop ups and other weird messages.
So, he disconnected from the network and the computer hasn't been online since.

Symptoms - Task Manager is disabled, regedit is disabled, and probably a few others that I haven't tried. He gets constant 'alerts' purporting to be from Microsoft Security Centre or Security Manager, with a variety of warnings that his system is running slow because of spyware, or spyware has been detected, or IE will open up and try to link to the AntiSpySpider site.

I did some research and (using my PC for the internet connection) downloaded SpyHunter Scanner, which found zlob entries in the registry and about 83 cookies. I used a variety of sites to get manual removal instructions, which I followed. I ran HijackThis so that I could gain access to the registry and I reset the disable taskmgr dword at HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

I also searched for various files mentioned in the manual removal instructions, as follows:

msmsgs.exe
pmsngr.exe
kdqrn.exe
02.exe
kdvhv.exe
kdoaf.exe
kdkwb.exe
kdkat.exe
kdlfk.exe
kdefp.exe

but didn't find any. I tried unregistering the dlls mentioned in the instructions and manually edited the registry to remove the zlob entries.

I then rebooted the PC and, initially, all was okay. For about 2 minutes anyway, and then TaskMgr and regedit were disabled again and the popups started.

I then downloaded and ran SuperAntiSpyware, which found and quarantined numerous tracking cookies, adware.vundo varient/resident and vundo-varient registry entries. This asked me to reboot, which I did, but the problems came back again (although running SuperAntiSpyware showed neither the vundo nor any new spyware.

I spent many hours on this last night, until 2 am and am now starting on it again. I have run HijackThis and the log is below:

=========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29:32, on 12/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\b2new.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts file is located at: C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {60AFAA4D-E7FC-4087-92AA-21C05C3B8EC0} - C:\Windows\system32\mljGyWNg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbXNGwtS.dll,#1
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Run.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\b2new.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10750 bytes
=====================

I also ran combofix, which deleted a lot of files and folders and then rebooted the PC. Combofix Log file is below:

===============
ComboFix 08-05-11.1 - vista 2008-05-12 18:48:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1259 [GMT 1:00]
Running from: C:\Users\vista\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\megavid.cdt
C:\Windows\muotr.so
C:\Windows\system32\adult.txt
C:\Windows\system32\AutoRun.inf
C:\Windows\system32\cbXNGwtS.dll
C:\Windows\system32\fccdeBRK.dll
C:\Windows\system32\finance.txt
C:\Windows\System32\gNWyGjlm.ini
C:\Windows\System32\gNWyGjlm.ini2
C:\Windows\system32\hGvvvTLc.dll
C:\Windows\system32\lt.res
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\other.txt
C:\Windows\system32\pharma.txt
C:\Windows\system32\sft.res
C:\Windows\system32\ssqnKcdb.dll
C:\Windows\system32\tuvTjihf.dll
C:\Windows\system32\yayaYrQg.dll

----- BITS: Possible infected sites -----

hxxp://theinstalls.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 17:55 --------- d-----w C:\Program Files\Steam
2008-05-12 17:30 --------- d-----w C:\Users\vista\AppData\Roaming\SiteAdvisor
2008-05-11 23:44 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-05-11 23:43 --------- d-----w C:\Users\vista\AppData\Roaming\SUPERAntiSpyware.com
2008-05-11 23:43 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-11 23:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 22:17 --------- d-----w C:\Program Files\Trend Micro
2008-05-11 20:40 --------- d-----w C:\Program Files\Samsung
2008-05-11 20:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-05-11 19:48 92,703 ----a-w C:\Users\vista\AppData\Roaming\nvModes.dat
2008-05-11 19:29 --------- d-----w C:\Program Files\McAfee
2008-05-11 19:03 --------- d-----w C:\Program Files\Common Files\Steam
2008-05-10 17:43 --------- d-----w C:\Program Files\DOSBox-0.72
2008-05-09 19:28 25,600 ----a-w C:\Windows\b2new.exe
2008-04-25 13:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 14:29 --------- d-----w C:\Users\vista\AppData\Roaming\HP
2008-04-24 14:17 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-04-24 14:14 --------- d-----w C:\ProgramData\HPSSUPPLY
2008-04-24 14:14 --------- d-----w C:\Program Files\HP
2008-04-24 14:13 --------- d-----w C:\Users\vista\AppData\Roaming\HPAppData
2008-04-24 14:12 --------- d-----w C:\ProgramData\HP Product Assistant
2008-04-24 14:12 --------- d-----w C:\ProgramData\HP
2008-04-24 14:11 --------- d-----w C:\Program Files\Common Files\HP
2008-04-24 14:10 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-19 20:37 --------- d-----w C:\Program Files\Smallvideosoft
2008-04-19 20:34 --------- d---a-w C:\ProgramData\TEMP
2008-04-19 20:03 --------- d-----w C:\Users\vista\AppData\Roaming\SlySoft
2008-04-19 19:59 --------- d-----w C:\Users\vista\AppData\Roaming\Roxio
2008-04-18 19:42 --------- d-----w C:\Program Files\Kontiki
2008-04-16 12:56 --------- d-----w C:\Program Files\Crossroads
2008-04-07 21:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 16:39 --------- d-----w C:\Users\vista\AppData\Roaming\McAfee
2008-04-03 16:38 --------- d-----w C:\ProgramData\McAfee
2008-03-30 16:36 --------- d-----w C:\Program Files\Java
2008-03-26 15:47 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-26 15:46 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-18 01:33 --------- d-----w C:\Users\vista\AppData\Roaming\Winamp
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-06 00:26 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60AFAA4D-E7FC-4087-92AA-21C05C3B8EC0}]
C:\Windows\system32\mljGyWNg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-02-06 01:03 1232896]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-04-19 13:38 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 20:29 102400]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 02:07 102400]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 10:00 1116920]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-07 09:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-07 09:05 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-07 09:05 81920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 22:57 36640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 14:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3252350923-1669814527-4055496009-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F554FE34-5A12-47F7-A5DB-935B76FC040B}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"TCP Query User{A3D80BF1-86A5-4BDB-B3F1-51AF4BA4258C}C:\\westwood\\ra2\\game.exe"= UDP:C:\westwood\ra2\game.exe:Main executable for Red Alert 2
"UDP Query User{D900865E-C5D9-4BEC-AD2F-82742D5EFB0F}C:\\westwood\\ra2\\game.exe"= TCP:C:\westwood\ra2\game.exe:Main executable for Red Alert 2
"TCP Query User{DCA62C7B-B696-4FC2-BA41-7B2E45806B17}C:\\westwood\\ra2\\patchgetmd.dat"= UDP:C:\westwood\ra2\patchgetmd.datatchgrabber
"UDP Query User{50E3ED58-984A-4AC9-8C53-FC5E834BDFFB}C:\\westwood\\ra2\\patchgetmd.dat"= TCP:C:\westwood\ra2\patchgetmd.datatchgrabber
"{B4D43326-9E53-4B3E-984E-6E284D04FADC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{0215C171-DA5C-46D7-81FF-5149FCE0301D}C:\\westwood\\ra2\\gamemd.exe"= UDP:C:\westwood\ra2\gamemd.exe:Main executable for Yuri's Revenge
"UDP Query User{23C202E9-1F7D-4698-9F51-63B1B6F58762}C:\\westwood\\ra2\\gamemd.exe"= TCP:C:\westwood\ra2\gamemd.exe:Main executable for Yuri's Revenge
"TCP Query User{64787A47-53ED-431F-A4E6-2587D26C16D6}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A9F758C0-E135-4272-B94C-2A3657924B4C}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{F661A500-346F-42D2-A101-6A68F0629A35}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{033442FF-FA53-45C9-9AF7-27E58ACBDABE}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{CA41863C-125F-4993-BF0F-51E4DA5C36B1}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{74761926-F978-41EC-BA5E-D1BCF0C96A48}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{C17DEFFE-A743-46DE-99FE-46FD104DCDB8}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{89EC6F02-7A15-4E6B-A736-B8538E0CD715}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{EC6E82C1-6BB1-4605-A206-FB2D9B4266CD}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{28AF9B72-FA92-4C61-868F-610B4D9381D0}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{E470C7DE-8230-47BE-B454-D233AE5B1F73}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{F08D50CE-4D79-45D5-94B8-EF06926A70EE}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{9EC79427-02C9-40EB-A4C8-D313478B4AA9}"= UDP:C:\Program Files\Kontiki\KService.exeelivery Manager Service
"{E1D27A6A-9B10-4ECC-8CAC-EFAA95E611BD}"= TCP:C:\Program Files\Kontiki\KService.exeelivery Manager Service
"{C4536714-E192-4CC6-AEA9-55EA7D21A37D}"= UDP:C:\Program Files\Kontiki\KService.exeelivery Manager Service
"{994E2CDB-51B1-4965-8B90-6575E152DF41}"= TCP:C:\Program Files\Kontiki\KService.exeelivery Manager Service
"TCP Query User{43FA7D64-DE27-476A-8E21-DEE0C7624154}C:\\program files\\steam\\steamapps\\ambritannia\\team fortress classic\\hl.exe"= UDP:C:\program files\steam\steamapps\ambritannia\team fortress classic\hl.exe:Half-Life Launcher
"UDP Query User{68C4CAD6-7AF4-4708-87A2-05BB59FB8FCB}C:\\program files\\steam\\steamapps\\ambritannia\\team fortress classic\\hl.exe"= TCP:C:\program files\steam\steamapps\ambritannia\team fortress classic\hl.exe:Half-Life Launcher

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\S tatic\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2006-08-01 21:06]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-17 00:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 20:20:52 C:\Windows\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 00:00:13 C:\Windows\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-05-12 17:58:39 C:\Windows\Tasks\User_Feed_Synchronization-{D01616A4-F375-4698-A7E4-AF55BF38FD58}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 18:55:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\wlanext.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\microsoft shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-05-12 19:00:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 18:00:23

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

222 --- E O F --- 2008-04-09 19:17:52
===================

Following the reboot TaskMgr and regedit were fine and then after about two or three minutes the were disabled again. The popups seem to have disappeared, I have just run a full system McAfee scan, which found RemAdm-ProcLaunch!171 as a PUP but was unable to remove it.

I re-enabled regedit and taskmgr again and then rebooted the pc. Yet again, after about 5 minutes taskmgr and regedit have been disabled again. The popups haven't returned but I am really loathe to allow this pc back on my network and give it internet access until I know that all is well and I will be really grateful for any help you can give.

Many thanks,

TisiRaptor
cybertech's Avatar
Computer Specs
Moderator with 55,962 posts.
  
Join Date: Apr 2002
Location: Washington State
14-May-2008, 11:22 AM #2
Hi, Welcome to TSG!!


Run HJT again and put a check in the following:

O2 - BHO: (no name) - {60AFAA4D-E7FC-4087-92AA-21C05C3B8EC0} - C:\Windows\system32\mljGyWNg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbXNGwtS.dll,#1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)

Close all applications and browser windows before you click "fix checked".


Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy the entire report and paste it in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
TisiRaptor's Avatar
Junior Member with 4 posts.
  
Join Date: May 2008
Location: Midlands, UK
Experience: Advanced
14-May-2008, 12:40 PM #3
Hi cybertech,

Many thanks for your reply. I ran HJT again and of the items you asked me to put a check against, only 4 were there: the following didn't exist:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbXNGwtS.dll,#1

I checked the others and clicked Fix Checked.

After installing Malwarebytes Anti-Malware I couldn't get it to update but I ran it anyway, it found and dealt with three infections. HJT log and Malwarebytes Anti-Malware logs are below. After rebooting Malwarebytes Anti-Malware updated ok so I ran it again - it found 6 infections: these were to do with the hijacked IE homepage so I don't know why it didn't find them first time. Anyway, I've added the log to this post.

Once again, many thanks for your help, hopefully you can give the all clear now. Whilst I've got his PC I'm going to install Spyware Blaster, Spybot S&D, Spyware Guard and Winpatrol; or do you think that's overkill?

HJT Log after HJT and Malwarebytes Anti-Malware cleansing:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21:53, on 14/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Run.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BNZLM - Sysinternals - www.sysinternals.com - C:\Users\vista\AppData\Local\Temp\BNZLM.exe
O23 - Service: DQHPWWZYG - Sysinternals - www.sysinternals.com - C:\Users\vista\AppData\Local\Temp\DQHPWWZYG.exe
O23 - Service: I - Sysinternals - www.sysinternals.com - C:\Users\vista\AppData\Local\Temp\I.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MEO - Sysinternals - www.sysinternals.com - C:\Users\vista\AppData\Local\Temp\MEO.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8356 bytes
=====================
1st Anti-Malware Log:

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 34707
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\sockins32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\WebProxy (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\sockins32.dll (Trojan.Agent) -> Delete on reboot.
==========================
2nd Anti Malware Log

Malwarebytes' Anti-Malware 1.12
Database version: 748

Scan type: Quick Scan
Objects scanned: 35568
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\homepage.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promo1.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promo2.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promo3.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promo4.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promo5.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promo6.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promogif1.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promogif2.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\promogif3.gif (Malware.Trace) -> Quarantined and deleted successfully.
=====================


Many thanks,

Tisi
cybertech's Avatar
Computer Specs
Moderator with 55,962 posts.
  
Join Date: Apr 2002
Location: Washington State
14-May-2008, 03:01 PM #4
Quote:
Originally Posted by TisiRaptor View Post
Whilst I've got his PC I'm going to install Spyware Blaster, Spybot S&D, Spyware Guard and Winpatrol; or do you think that's overkill?

I think it's a little too much but if you keep only a couple of the running real time protection and use the others for on-demand scanning it should be ok.

As for Malwarebytes finding more things the second time around I'm sure that is due to the update you were able to get.

Log looks good now.


You're welcome!
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
TisiRaptor's Avatar
Junior Member with 4 posts.
  
Join Date: May 2008
Location: Midlands, UK
Experience: Advanced
14-May-2008, 03:24 PM #5
Many, many thanks. I'm going to make sure my son gives a donation to help keep this forum going.
cybertech's Avatar
Computer Specs
Moderator with 55,962 posts.
  
Join Date: Apr 2002
Location: Washington State
15-May-2008, 05:58 PM #6
Great! Happy I could help!
Reply

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are Off
Refbacks are Off

Related Sites: Support.com | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 03:39 AM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.