1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan Heaven... (HJT LOG)

Discussion in 'Virus & Other Malware Removal' started by DorkyPenguin, Oct 15, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. DorkyPenguin

    DorkyPenguin Thread Starter

    Joined:
    Sep 16, 2008
    Messages:
    44
    Well, as I said in the title, my computer is a home for Trojans, Malware, viruses, and anything else bad. :eek: I just got new anti virus, firewall, and scanners. Every 10 minutes my anti-virus pops up a warning asking if I should delete different types of Trojans it found. All my scanners pop up infected items and I keep removing them, but nothings getting better or faster. My computer is very slow and takes around 5 minutes to pop up a browser. I have had this computer for around 3 years. My dads friend gave it to me because a virus had completly locked up the computer. My dad fixed it so he just let me keep it. I have alot of cleaners, many of which you had suggested in another one of my post regarding my laptop. This problem isn't on my laptop. Its the other thing that you have a big box for.... LOL. I can't remember what you call it? Opposite of a laptop... I feel dumb. Anyway, thanks! I know you can help and feel free to take your time! Oh one more thing... I cant update to Serivce Pack 2... It says Access denied about 80% of the way through. Not sure what thats about, but... :) Heres a HJT Log:




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:04:31 PM, on 10/15/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    C:\WINDOWS\System32\WgaTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {07850CE3-1044-C87E-2D7E-A3B83871E631} - (no file)
    O2 - BHO: (no name) - {21204F9B-E08B-9E2A-C0B8-0DA765FD3394} - (no file)
    O2 - BHO: (no name) - {25A24FD7-B559-A8F2-9119-734F5E38EC5E} - (no file)
    O2 - BHO: (no name) - {3257CB31-4761-6E0E-B8F2-BA44AD4D89B0} - (no file)
    O2 - BHO: (no name) - {652B2B57-E4D1-DA98-11D1-63B6EC399433} - (no file)
    O2 - BHO: (no name) - {6D224D6C-9CD9-244E-1651-BCB09374072E} - (no file)
    O2 - BHO: (no name) - {741F449C-9060-015F-109F-D04403FDE843} - (no file)
    O2 - BHO: (no name) - {8605E933-BF9A-38BC-F3EC-5B9BFA9CFEB4} - (no file)
    O2 - BHO: (no name) - {A150AC67-C8A7-5720-6F83-07CE8674E2BE} - (no file)
    O2 - BHO: (no name) - {AE65210B-2870-3EC4-9658-261BE1153BB2} - (no file)
    O2 - BHO: (no name) - {B31201EA-B6EE-80FD-86B1-3CA150910F8D} - (no file)
    O2 - BHO: (no name) - {C46EE6A8-1C15-E426-E079-3B788A30CE86} - (no file)
    O2 - BHO: (no name) - {D59AC151-F00C-3509-5093-1C3589B36680} - (no file)
    O2 - BHO: (no name) - {DE009CAE-4B28-D350-13CF-E88F46A3C5C3} - (no file)
    O2 - BHO: (no name) - {E16EFF3B-8831-5123-9372-1E0B4CDF75E9} - (no file)
    O2 - BHO: (no name) - {E21F538E-8CB9-A0F9-8F6E-40567DFA2D87} - (no file)
    O2 - BHO: (no name) - {E8672AC7-8611-4002-4486-F4856A5C2E37} - (no file)
    O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.searchmeup.cc (HKLM)
    O15 - Trusted IP range: 195.190.118.157 (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/05a515b086e83fbc4c03/netzip/RdxIE601.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167273117860
    O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://216.93.170.133:82/TqUpdate_Release.CAB
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 8930 bytes
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.

    It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
    If you recieve an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot
     
  3. DorkyPenguin

    DorkyPenguin Thread Starter

    Joined:
    Sep 16, 2008
    Messages:
    44
    Thanks, here's the scan:



    Malwarebytes' Anti-Malware 1.28
    Database version: 1274
    Windows 5.1.2600 Service Pack 1

    10/18/2008 11:56:12 PM
    mbam-log-2008-10-18 (16-47-12).txt

    Scan type: Quick Scan
    Objects scanned: 59485
    Time elapsed: 14 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FOPF (Rogue.AVSystemShield) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\Laurie\Application Data\TrustedProtection (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Laurie\Application Data\TrustedProtection\Logs (Rogue.TrustedProtection) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Laurie\Application Data\TrustedProtection\avtasks.dat (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Laurie\Application Data\TrustedProtection\Logs\av.log (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Laurie\Application Data\TrustedProtection\Logs\ga6Support.log (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\_002692_.tmp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\_002723_.tmp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\msne.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\apiqj32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\atlgw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\crui.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\ieme32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    it doesn't look like you updated MBAM before scanning

    latest version is 1.29 with database 1286

    please update by open MBAM, select update tab & press update

    follow all prompts

    then do a new quick scan & post that log & a new HJT log please
     
  5. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Just a quick question, why aren't you running Service Pack 2?
     
  6. DorkyPenguin

    DorkyPenguin Thread Starter

    Joined:
    Sep 16, 2008
    Messages:
    44
    Ok, Im running a new scan now. To answer your question AcaCandy, I posted this in my first post on this topic, It wont let me update to Service Pack 2. About 80% through the update, it says Access Denied and everything just uninstalls. I've tried multiple times, restarting my computer and everything. Heres is the updated Malwarebytes Anti-Malware scan log followed by a HJT log:



    Malwarebytes' Anti-Malware 1.29
    Database version: 1299
    Windows 5.1.2600 Service Pack 1

    10/20/2008 9:08:18 PM
    mbam-log-2008-10-20 (21-08-18).txt

    Scan type: Quick Scan
    Objects scanned: 60398
    Time elapsed: 25 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)






    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:09:46 PM, on 10/20/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {07850CE3-1044-C87E-2D7E-A3B83871E631} - (no file)
    O2 - BHO: (no name) - {21204F9B-E08B-9E2A-C0B8-0DA765FD3394} - (no file)
    O2 - BHO: (no name) - {25A24FD7-B559-A8F2-9119-734F5E38EC5E} - (no file)
    O2 - BHO: (no name) - {3257CB31-4761-6E0E-B8F2-BA44AD4D89B0} - (no file)
    O2 - BHO: (no name) - {652B2B57-E4D1-DA98-11D1-63B6EC399433} - (no file)
    O2 - BHO: (no name) - {6D224D6C-9CD9-244E-1651-BCB09374072E} - (no file)
    O2 - BHO: (no name) - {741F449C-9060-015F-109F-D04403FDE843} - (no file)
    O2 - BHO: (no name) - {8605E933-BF9A-38BC-F3EC-5B9BFA9CFEB4} - (no file)
    O2 - BHO: (no name) - {A150AC67-C8A7-5720-6F83-07CE8674E2BE} - (no file)
    O2 - BHO: (no name) - {AE65210B-2870-3EC4-9658-261BE1153BB2} - (no file)
    O2 - BHO: (no name) - {B31201EA-B6EE-80FD-86B1-3CA150910F8D} - (no file)
    O2 - BHO: (no name) - {C46EE6A8-1C15-E426-E079-3B788A30CE86} - (no file)
    O2 - BHO: (no name) - {D59AC151-F00C-3509-5093-1C3589B36680} - (no file)
    O2 - BHO: (no name) - {DE009CAE-4B28-D350-13CF-E88F46A3C5C3} - (no file)
    O2 - BHO: (no name) - {E16EFF3B-8831-5123-9372-1E0B4CDF75E9} - (no file)
    O2 - BHO: (no name) - {E21F538E-8CB9-A0F9-8F6E-40567DFA2D87} - (no file)
    O2 - BHO: (no name) - {E8672AC7-8611-4002-4486-F4856A5C2E37} - (no file)
    O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.searchmeup.cc (HKLM)
    O15 - Trusted IP range: 195.190.118.157 (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/05a515b086e83fbc4c03/netzip/RdxIE601.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167273117860
    O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://216.93.170.133:82/TqUpdate_Release.CAB
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 8897 bytes
     
  7. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Ok, sorry, missed that part :( I'm sure Derek will be able to get that resolved.
     
  8. DorkyPenguin

    DorkyPenguin Thread Starter

    Joined:
    Sep 16, 2008
    Messages:
    44
    Heh, no problem =P Thanks though!
     
  9. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    You're welcome. Derek is across the pond, so depending on your U.S. location, he may reply about 3 a.m. your time :D
     
  10. DorkyPenguin

    DorkyPenguin Thread Starter

    Joined:
    Sep 16, 2008
    Messages:
    44
    Oh xP. I suppose I'll check back tomorrow after school then. Thanks for your help again!
     
  11. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    (y) Welcome once again :) Have a good day at school :)
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again afterwards before connecting to the net
    --------------------------------------------------------------------
    2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
    • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
    • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  13. DorkyPenguin

    DorkyPenguin Thread Starter

    Joined:
    Sep 16, 2008
    Messages:
    44
    *Whew*, here's both the logs, ComboFix first, then HJT (one thing also, when it restarted my computer to give the final logs, my computer automatically started up my anti-virus and such. It said do not start any programs, but I couldn't stop it. Not sure if this affected anything. This occured at the very end before it came up with the logs):


    ComboFix 08-10-19.04 - Laurie 2008-10-21 18:28:00.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.74 [GMT -6:00]
    Running from: C:\Documents and Settings\Laurie\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\Common Files\companion wizard
    C:\Program Files\INSTALL.LOG
    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\mssq.exe
    C:\WINDOWS\system32\_002506_.tmp.dll
    C:\WINDOWS\system32\_002681_.tmp.dll
    C:\WINDOWS\system32\_002682_.tmp.dll
    C:\WINDOWS\system32\_002683_.tmp.dll
    C:\WINDOWS\system32\_002684_.tmp.dll
    C:\WINDOWS\system32\_002691_.tmp.dll
    C:\WINDOWS\system32\_002693_.tmp.dll
    C:\WINDOWS\system32\_002694_.tmp.dll
    C:\WINDOWS\system32\_002696_.tmp.dll
    C:\WINDOWS\system32\_002697_.tmp.dll
    C:\WINDOWS\system32\_002700_.tmp.dll
    C:\WINDOWS\system32\_002701_.tmp.dll
    C:\WINDOWS\system32\_002703_.tmp.dll
    C:\WINDOWS\system32\_002704_.tmp.dll
    C:\WINDOWS\system32\_002705_.tmp.dll
    C:\WINDOWS\system32\_002707_.tmp.dll
    C:\WINDOWS\system32\_002708_.tmp.dll
    C:\WINDOWS\system32\_002710_.tmp.dll
    C:\WINDOWS\system32\_002714_.tmp.dll
    C:\WINDOWS\system32\_002715_.tmp.dll
    C:\WINDOWS\system32\_002717_.tmp.dll
    C:\WINDOWS\system32\_002720_.tmp.dll
    C:\WINDOWS\system32\_002722_.tmp.dll
    C:\WINDOWS\system32\_002724_.tmp.dll
    C:\WINDOWS\system32\_002725_.tmp.dll
    C:\WINDOWS\system32\_002726_.tmp.dll
    C:\WINDOWS\system32\_002729_.tmp.dll
    C:\WINDOWS\system32\_002731_.tmp.dll
    C:\WINDOWS\system32\_002732_.tmp.dll
    C:\WINDOWS\system32\_002733_.tmp.dll
    C:\WINDOWS\system32\_002737_.tmp.dll
    C:\WINDOWS\system32\_002739_.tmp.dll
    C:\WINDOWS\system32\_002942_.tmp.dll
    C:\WINDOWS\system32\_002964_.tmp.dll
    C:\WINDOWS\system32\_003010_.tmp.dll
    C:\WINDOWS\system32\_003120_.tmp.dll
    C:\WINDOWS\system32\_003121_.tmp.dll
    C:\WINDOWS\system32\_003122_.tmp.dll
    C:\WINDOWS\system32\_003123_.tmp.dll
    C:\WINDOWS\system32\_003130_.tmp.dll
    C:\WINDOWS\system32\_003131_.tmp.dll
    C:\WINDOWS\system32\_003132_.tmp.dll
    C:\WINDOWS\system32\_003134_.tmp.dll
    C:\WINDOWS\system32\_003135_.tmp.dll
    C:\WINDOWS\system32\_003138_.tmp.dll
    C:\WINDOWS\system32\_003139_.tmp.dll
    C:\WINDOWS\system32\_003141_.tmp.dll
    C:\WINDOWS\system32\_003142_.tmp.dll
    C:\WINDOWS\system32\_003143_.tmp.dll
    C:\WINDOWS\system32\_003145_.tmp.dll
    C:\WINDOWS\system32\_003146_.tmp.dll
    C:\WINDOWS\system32\_003147_.tmp.dll
    C:\WINDOWS\system32\_003148_.tmp.dll
    C:\WINDOWS\system32\_003149_.tmp.dll
    C:\WINDOWS\system32\_003154_.tmp.dll
    C:\WINDOWS\system32\_003155_.tmp.dll
    C:\WINDOWS\system32\_003156_.tmp.dll
    C:\WINDOWS\system32\_003157_.tmp.dll
    C:\WINDOWS\system32\_003162_.tmp.dll
    C:\WINDOWS\system32\_003163_.tmp.dll
    C:\WINDOWS\system32\_003164_.tmp.dll
    C:\WINDOWS\system32\_003165_.tmp.dll
    C:\WINDOWS\system32\_003172_.tmp.dll
    C:\WINDOWS\system32\_003173_.tmp.dll
    C:\WINDOWS\system32\_003174_.tmp.dll
    C:\WINDOWS\system32\_003176_.tmp.dll
    C:\WINDOWS\system32\_003177_.tmp.dll
    C:\WINDOWS\system32\_003180_.tmp.dll
    C:\WINDOWS\system32\_003181_.tmp.dll
    C:\WINDOWS\system32\_003183_.tmp.dll
    C:\WINDOWS\system32\_003184_.tmp.dll
    C:\WINDOWS\system32\_003185_.tmp.dll
    C:\WINDOWS\system32\_003187_.tmp.dll
    C:\WINDOWS\system32\_003188_.tmp.dll
    C:\WINDOWS\system32\_003190_.tmp.dll
    C:\WINDOWS\system32\_003194_.tmp.dll
    C:\WINDOWS\system32\_003195_.tmp.dll
    C:\WINDOWS\system32\_003197_.tmp.dll
    C:\WINDOWS\system32\_003200_.tmp.dll
    C:\WINDOWS\system32\_003202_.tmp.dll
    C:\WINDOWS\system32\_003203_.tmp.dll
    C:\WINDOWS\system32\_003204_.tmp.dll
    C:\WINDOWS\system32\_003205_.tmp.dll
    C:\WINDOWS\system32\_003207_.tmp.dll
    C:\WINDOWS\system32\_003208_.tmp.dll
    C:\WINDOWS\system32\_003209_.tmp.dll
    C:\WINDOWS\system32\_003210_.tmp.dll
    C:\WINDOWS\system32\_003217_.tmp.dll
    C:\WINDOWS\system32\_003218_.tmp.dll
    C:\WINDOWS\system32\_003219_.tmp.dll
    C:\WINDOWS\system32\_003221_.tmp.dll
    C:\WINDOWS\system32\_003222_.tmp.dll
    C:\WINDOWS\system32\_003225_.tmp.dll
    C:\WINDOWS\system32\_003226_.tmp.dll
    C:\WINDOWS\system32\_003228_.tmp.dll
    C:\WINDOWS\system32\_003229_.tmp.dll
    C:\WINDOWS\system32\_003230_.tmp.dll
    C:\WINDOWS\system32\_003232_.tmp.dll
    C:\WINDOWS\system32\_003233_.tmp.dll
    C:\WINDOWS\system32\_003235_.tmp.dll
    C:\WINDOWS\system32\_003239_.tmp.dll
    C:\WINDOWS\system32\_003240_.tmp.dll
    C:\WINDOWS\system32\_003242_.tmp.dll
    C:\WINDOWS\system32\_003245_.tmp.dll
    C:\WINDOWS\system32\_003247_.tmp.dll
    C:\WINDOWS\system32\_003248_.tmp.dll
    C:\WINDOWS\system32\_003249_.tmp.dll
    C:\WINDOWS\system32\_003250_.tmp.dll
    C:\WINDOWS\system32\_003253_.tmp.dll
    C:\WINDOWS\system32\_003255_.tmp.dll
    C:\WINDOWS\system32\_003256_.tmp.dll
    C:\WINDOWS\system32\_003257_.tmp.dll
    C:\WINDOWS\system32\_003261_.tmp.dll
    C:\WINDOWS\system32\_003263_.tmp.dll
    C:\WINDOWS\system32\drivers\fad.sys
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\gtkkr.dat
    C:\WINDOWS\system32\mfcee.exe
    C:\WINDOWS\system32\mscp.exe
    C:\WINDOWS\system32\msng.exe
    C:\WINDOWS\system32\packet.dll
    C:\WINDOWS\system32\pthreadVC.dll
    C:\WINDOWS\system32\winbo32.exe
    C:\WINDOWS\system32\wpcap.dll
    C:\WINDOWS\winhp32.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_FOPN
    -------\Legacy_NPF
    -------\Legacy_SVCPROC
    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2008-09-22 to 2008-10-22 )))))))))))))))))))))))))))))))
    .

    2008-10-15 18:11 . 2008-10-15 18:11 <DIR> d-------- C:\Program Files\Lavasoft
    2008-10-15 18:11 . 2008-10-15 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-10-15 17:57 . 2008-10-15 18:03 <DIR> d-------- C:\Program Files\RegScrubXP
    2008-10-15 17:38 . 2008-10-15 17:38 <DIR> d-------- C:\Program Files\Avira
    2008-10-15 17:38 . 2008-10-15 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
    2008-10-15 17:05 . 2008-10-15 17:05 <DIR> d-------- C:\Program Files\ZoneAlarmSB
    2008-10-15 17:03 . 2008-10-15 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-10-15 17:03 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-10-15 17:03 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
    2008-10-15 17:02 . 2008-10-15 17:02 <DIR> d-------- C:\Program Files\Zone Labs
    2008-10-15 17:02 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
    2008-10-15 16:26 . 2008-10-18 11:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-15 16:26 . 2008-10-15 16:26 <DIR> d-------- C:\Documents and Settings\Laurie\Application Data\Malwarebytes
    2008-10-15 16:26 . 2008-10-15 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-15 16:26 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2008-10-15 16:26 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
    2008-10-15 16:24 . 2008-10-15 16:24 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-14 21:44 . 2008-10-14 21:44 <DIR> d-------- C:\Program Files\CCleaner

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-21 03:27 1,397,248 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
    2008-10-16 03:21 78,848 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
    2008-10-16 00:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-10-16 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
    2008-10-15 23:51 --------- d-----w C:\Documents and Settings\Laurie\Application Data\Lavasoft
    2008-10-15 23:27 --------- d-----w C:\Program Files\Viewpoint
    2008-10-15 23:27 --------- d-----w C:\Program Files\Symantec
    2008-10-15 23:27 --------- d-----w C:\Documents and Settings\Laurie\Application Data\Viewpoint
    2008-10-15 23:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-10-15 23:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-10-15 03:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-10-15 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-09-16 11:58 53,248 ----a-w C:\WINDOWS\uneng.exe
    2008-09-16 06:57 120,870 ----a-w C:\WINDOWS\usnpp202.exe
    2008-09-16 03:48 --------- d-----w C:\Program Files\Windows Live Safety Center
    2005-07-27 02:55 9,228,440 ----a-w C:\Program Files\sygate.exe
    2005-07-27 01:12 488,032 ----a-w C:\Program Files\PopUpStopperFree.exe
    2005-07-27 01:10 4,354,084 ----a-w C:\Program Files\spybotsd13.exe
    2005-07-27 01:08 2,855,080 ----a-w C:\Program Files\adware.exe
    2005-07-27 00:52 16,518,095 ----a-w C:\Program Files\wg311v2_v2_0_0_7.zip
    2004-07-02 17:19 40,960 ----a-w C:\WINDOWS\INF\WG311v2\imdinst.exe
    2004-06-18 04:41 386,688 ----a-w C:\WINDOWS\INF\WG311v2\netwg311_XP.sys
    2004-04-04 18:07 84,912 ----a-w C:\WINDOWS\INF\WG311v2\FwRad17.bin
    2004-04-04 18:07 83,320 ----a-w C:\WINDOWS\INF\WG311v2\FwRad16.bin
    2004-02-04 17:53 62,865 ----a-w C:\WINDOWS\INF\WG311v2\odysseyIM3.sys
    2004-02-04 17:53 12,739 ----a-w C:\WINDOWS\INF\WG311v2\odNetInstall.dll
    2004-06-12 10:28 2,569 --sha-w C:\WINDOWS\SYSTEM32\rijfs.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-20 155648]
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
    "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ cli scecli

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    "IPHSend"=C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    "HostManager"=C:\Program Files\Common Files\AOL\1124425300\ee\AOLSoftware.exe
    "AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    "DVDSentry"=C:\WINDOWS\System32\DSentry.exe
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    "NapsterShell"=C:\Program Files\Napster\napster.exe /systray

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 22336]
    R0 prohlp01;StarForce Protection Helper Driver v1;C:\WINDOWS\System32\drivers\prohlp01.sys [2002-12-26 61728]
    R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-05-09 45376]
    R1 prodrv05;StarForce Protection Environment Driver v5;C:\WINDOWS\System32\drivers\prodrv05.sys [2002-12-26 53568]
    S3 MSFT43XX;Microsoft Wireless Notebook Adapter Driver;C:\WINDOWS\System32\DRIVERS\mn720-50.sys [2003-07-18 254208]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{07850CE3-1044-C87E-2D7E-A3B83871E631} - (no file)
    BHO-{21204F9B-E08B-9E2A-C0B8-0DA765FD3394} - (no file)
    BHO-{25A24FD7-B559-A8F2-9119-734F5E38EC5E} - (no file)
    BHO-{3257CB31-4761-6E0E-B8F2-BA44AD4D89B0} - (no file)
    BHO-{652B2B57-E4D1-DA98-11D1-63B6EC399433} - (no file)
    BHO-{6D224D6C-9CD9-244E-1651-BCB09374072E} - (no file)
    BHO-{741F449C-9060-015F-109F-D04403FDE843} - (no file)
    BHO-{8605E933-BF9A-38BC-F3EC-5B9BFA9CFEB4} - (no file)
    BHO-{A150AC67-C8A7-5720-6F83-07CE8674E2BE} - (no file)
    BHO-{AE65210B-2870-3EC4-9658-261BE1153BB2} - (no file)
    BHO-{B31201EA-B6EE-80FD-86B1-3CA150910F8D} - (no file)
    BHO-{C46EE6A8-1C15-E426-E079-3B788A30CE86} - (no file)
    BHO-{D59AC151-F00C-3509-5093-1C3589B36680} - (no file)
    BHO-{DE009CAE-4B28-D350-13CF-E88F46A3C5C3} - (no file)
    BHO-{E16EFF3B-8831-5123-9372-1E0B4CDF75E9} - (no file)
    BHO-{E21F538E-8CB9-A0F9-8F6E-40567DFA2D87} - (no file)
    BHO-{E8672AC7-8611-4002-4486-F4856A5C2E37} - (no file)


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\e4t2kmie.default\
    FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-21 18:41:03
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\SYSTEM32\wdfmgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\SYSTEM32\WgaTray.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-21 18:56:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-22 00:56:28

    Pre-Run: 5,892,554,752 bytes free
    Post-Run: 5,797,875,712 bytes free

    winxpsp1_en_hom_bf.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

    288 --- E O F --- 2008-10-15 22:20:37









    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:01:23 PM, on 10/21/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\WgaTray.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.searchmeup.cc (HKLM)
    O15 - Trusted IP range: 195.190.118.157 (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167273117860
    O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://216.93.170.133:82/TqUpdate_Release.CAB
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 7398 bytes
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    next

    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
    right click the file and select install, that will reset the zone settings that have been altered

    and also

    Download: ResetProtocolDefaults.reg
    http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

    Locate "ResetProtocolDefaults.reg"
    Right-click and select: Merge (Ok the prompt)

    then I want to examine some files that look suspicious so

    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)


    then to see if we can solve the update problem with SP2


    download AUcheck from http://www.codeplex.com/aureset

    save it to desktop & double click it to run

    allow all prompts & when it has finished post the C:\AULOGS\data.cab file so we can check what it found

    Try Windows update now and see whether it will give you SP2
    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file inside C:\QooBox\ named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]
     

    Attached Files:

  15. DorkyPenguin

    DorkyPenguin Thread Starter

    Joined:
    Sep 16, 2008
    Messages:
    44
    I cannot download the first file... I click it and it takes me to some page with words... I got the second link though. Now the AU_Check thing is stuck at renaming CATROOT2 folder... right when it got there, my firewall blocked some BIOS thing... not sure if that caused it.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/759584

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice