1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

About:Blank, Possible vundo, various

Discussion in 'Virus & Other Malware Removal' started by Jolting, Jul 7, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Jolting

    Jolting Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    13
    I'm trying to fix up a computer without wipeing it clean. The ie7 is stuck on about:me. Random mass pop ups. Run time errors. I'm pretty much stuck and need a little advice on what to use to clean it. Here is the log.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:28:36 PM, on 7/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\Common Files\AOL\1147050818\ee\AOLSoftware.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avi Player\AviPlayer.exe
    C:\Program Files\Xfire\Xfire.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Laura Renta\Desktop\setupeng.exe
    C:\DOCUME~1\LAURAR~1\LOCALS~1\Temp\_av_sfx.tm~a02444\avast.setup
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Laura Renta\Desktop\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS\IECodecPlg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [AutoLoader5Fqu1JOgWbaO] "C:\WINDOWS\System32\ftpmdll.exe" /PC="AM.ICMD2" /HideUninstall /HideDir
    O4 - HKLM\..\Run: [5s9S37T] ftpmdll.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147050818\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dcsm] "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
    O4 - HKCU\..\Run: [Avi Player] "C:\Program Files\Avi Player\AviPlayer.exe" hmw
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm235YYUS
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.73\AMVConverter\grab.html
    O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.73\MediaManager\grab.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

    --
    End of file - 10255 bytes


    Any advice is greatly appreciated.
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG:)

    Download RogueRemover from the link below.
    Unzip to a convenient location such as C:\RogueRemover.
    Navigate to the folder you unzipped the files to and double click on the file named RogueRemover.exe.
    Finally, select Scan and the program will walk you through the remaining steps.

    Compatible with Windows 2000, NT, XP

    http://www.malwarebytes.org/rogueremover.php


    ===================================

    Download Combofix and save it to your desktop.
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Note: It is important that it is saved directly to your desktop

    Close any open browsers.

    Double click on combofix.exe & follow the prompts.
    When finished, it shall produce a log for you.

    Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  3. Jolting

    Jolting Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    13
    Thank you for the prompt reply. Sorry it took me so long I had stuff I had to do. Anyways heres the combo fix log and then after will be the new hijackthis log.

    "Laura Renta" - 2007-07-08 15:03:39 - ComboFix 07-07-07.3 - Service Pack 2


    ((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


    2007-07-08 14:44 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-08 14:39 <DIR> d-------- C:\Program Files\RogueRemover
    2007-07-07 21:54 <DIR> d-------- C:\WINDOWS\pss
    2007-07-07 19:04 <DIR> d-------- C:\VundoFix Backups
    2007-07-07 19:00 95,872 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
    2007-07-07 19:00 43,176 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
    2007-07-07 19:00 26,888 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
    2007-07-07 19:00 23,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
    2007-07-07 18:59 94,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
    2007-07-07 18:59 85,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
    2007-07-07 18:59 745,600 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
    2007-07-07 18:59 <DIR> d-------- C:\Program Files\Alwil Software
    2007-06-23 11:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-08 21:52:32 -------- d-----w C:\DOCUME~1\LAURAR~1\APPLIC~1\Xfire
    2007-07-08 21:52:12 -------- d-s---w C:\Program Files\Xfire
    2007-07-08 02:46:58 -------- d-----w C:\Program Files\Google
    2007-06-24 16:46:19 -------- d-----w C:\Program Files\MyWebSearch
    2007-06-23 06:36:44 -------- d-----w C:\Program Files\Lavasoft
    2007-06-23 06:36:40 -------- d-----w C:\DOCUME~1\LAURAR~1\APPLIC~1\Lavasoft
    2007-06-07 23:50:04 -------- d-----w C:\Program Files\Common Files\Stardock
    2007-06-07 23:49:27 -------- d-----w C:\Program Files\Stardock
    2007-05-31 03:16:29 -------- d-----w C:\Program Files\Starcraft
    2007-05-31 02:04:56 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-05-21 17:49:44 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-08 12:52:53 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
    2006-07-06 20:10:36 104 --sh--r C:\WINDOWS\SYSTEM32\CAB1035C14.sys
    2006-07-06 20:10:38 3,350 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
    2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA13D72F-2DAC-4D99-B08D-C5EA1C920E89}]
    2005-12-01 16:39 113152 --a------ C:\WINDOWS\IECodecPlg.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05]
    "HostManager"="C:\Program Files\Common Files\AOL\1147050818\ee\AOLSoftware.exe" [2006-04-20 10:10]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Laura Renta^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=C:\Documents and Settings\Laura Renta\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5s9S37T]
    ftpmdll.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    C:\Program Files\AIM95\aim.exe -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader5Fqu1JOgWbaO]
    "C:\WINDOWS\System32\ftpmdll.exe" /PC="AM.ICMD2" /HideUninstall /HideDir

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avi Player]
    "C:\Program Files\Avi Player\AviPlayer.exe" hmw

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dcsm]
    "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    C:\WINDOWS\System32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
    C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    "C:\Program Files\Dell\Media Experience\PCMService.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SureCleanProfessional]
    "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    C:\Program Files\Yahoo!\browser\ybrwicon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "IDriverT"=3 (0x3)
    "iPod Service"=3 (0x3)

    *Newly Created Service* - CATCHME

    Contents of the 'Scheduled Tasks' folder
    2007-07-05 14:40:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-07-08 21:51:48 C:\WINDOWS\tasks\leeroy.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-08 15:05:21
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-08 15:06:15
    C:\ComboFix-quarantined-files.txt ... 2007-07-08 15:05

    --- E O F ---






    Edit: I'll get the hijackthis log real soon.
     
  4. Jolting

    Jolting Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    13
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 5:49:52 PM, on 7/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\AOL\1147050818\ee\AOLSoftware.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Xfire\Xfire.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Laura Renta\Desktop\HiJackThis_v2.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS\IECodecPlg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147050818\ee\AOLSoftware.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm235YYUS
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.73\AMVConverter\grab.html
    O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.73\MediaManager\grab.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

    --
    End of file - 6810 bytes


    Sorry about it being a bit late.
     
  5. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download the attached file named CFScript.txt and Save it to your Desktop.

    [​IMG]

    Refering to the picture above, drag CFScript.txt into ComboFix.exe


    In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.


    Do not run on any other computer!!!! The Attached file CFScript.txt is created for this specfic computer. Running it on another system could cause it to crash or worse.


    ===============================

    Panda Activescan
    http://www.pandasoftware.com/products/activescan.htm
    1. Once you are on the Panda site click the Scan your PC button
    2. A new window will open...click the Check Now button
    3. Enter your Country
    4. Enter your State/Province
    5. Enter your e-mail address and click send
    6. Select either Home User or Company
    7. Click the big Scan Now button
    8. If it wants to install an ActiveX component allow it
    9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    10. When download is complete, click on Local Disks to start the scan
    11. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
     
  6. Jolting

    Jolting Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    13
    I dont see the attachment anywhere.
     
  7. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Sorry about that
     

    Attached Files:

  8. Jolting

    Jolting Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    13
    I'm currently trying to get set up again. I had to move to a new location. As soon as I'm set up again I'll pm you that I'm back. Also I couldn't complete those tasks because panda scan wouldn't run.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/593092

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice