virtumonde infestation need some assistance

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Skrimpa133

Thread Starter
Joined
Oct 8, 2008
Messages
6
Well i was browsing around the forums and i noticed many other people have experienced the same problems im having so i attempted to start the "fixing" process myself. I started by installing and running malwarebytes with good results but when i read on to the whole combofix part i got kinda nervous and didn't want to screw it up so i decided i would ask for help. Ive noticed you guys like to have people get you an HJT log so here it is and this is after Malwarebytes was installed, ran a scan, and cleared a multitude to things. Please educate me a little in infection procedures lol.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:49 PM, on 10/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\Advanced SystemCare 3 Beta\AWC.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {853D915E-40FF-4125-996E-89DD934B2060} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\iWin Games\iWinGamesHookIE.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lphc3nsj0ea2t] C:\WINDOWS\system32\lphc3nsj0ea2t.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\DOCUME~1\JOSHH~1\LOCALS~1\Temp\E_SEC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3 Beta\AWC.exe" /startup
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223415927046
O21 - SSODL: mDYJOeCPZM - {B815B761-12BF-1DCB-4915-2F92A5A0DE82} - C:\WINDOWS\system32\dt.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9768 bytes
 

Skrimpa133

Thread Starter
Joined
Oct 8, 2008
Messages
6
New Malwarebytres log. Sorry it took a while.

Malwarebytes' Anti-Malware 1.29
Database version: 1295
Windows 5.1.2600 Service Pack 3

10/19/2008 10:25:58 PM
mbam-log-2008-10-19 (22-25-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 133665
Time elapsed: 41 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\iehlprobj.iehlprobj.1 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{495874fe-4a82-4ad1-9476-0b957e0b95eb} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e3ed53c5-7ad5-4df5-9734-afb6e7e5d9db} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (Trojan.HumourCanine) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{853d915e-40ff-4125-996e-89dd934b2060} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\iWin Games\iWinGamesHookIE.dll (Adware.BHO) -> No action taken.
C:\Program Files\Conduit\Community Alerts\Alert.dll (Trojan.HumourCanine) -> No action taken.
C:\Program Files\iWin\iWinToolbarHelper.exe (Adware.HumourCanineToolbar) -> No action taken.
C:\WINDOWS\system32\blphc3nsj0ea2t.scr (Trojan.FakeAlert) -> No action taken.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  1. Close any open browsers.
  2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  4. In Additional Scans section put a check in BotCheck and Disabled MS Config Items and EventViewer Errors/Warnings
  5. Now click the Run Scan button on the toolbar.
  6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  7. When the scan is complete Notepad will open with the report file loaded in it.
  8. Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
 

Skrimpa133

Thread Starter
Joined
Oct 8, 2008
Messages
6
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  1. Close any open browsers.
  2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  4. In Additional Scans section put a check in BotCheck and Disabled MS Config Items and EventViewer Errors/Warnings
  5. Now click the Run Scan button on the toolbar.
  6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  7. When the scan is complete Notepad will open with the report file loaded in it.
  8. Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
 

Skrimpa133

Thread Starter
Joined
Oct 8, 2008
Messages
6
Sorry again for the delay, busy busy. And i have no idea why i quoted you i think i clicked the wrong button.
 

Attachments

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says Paste fix here and then click the Run Fix button.


Code:
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> prunnet -> %SystemRoot%\system32\prunnet.exe ["C:\WINDOWS\system32\prunnet.exe"]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> prunnet -> %SystemRoot%\system32\prunnet.exe ["C:\WINDOWS\system32\prunnet.exe"]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {B815B761-12BF-1DCB-4915-2F92A5A0DE82} [HKEY_LOCAL_MACHINE] -> Reg Error: Value  does not exist or could not be read. [mDYJOeCPZM]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKEY_LOCAL_MACHINE] -> Reg Error: Value  does not exist or could not be read. [CBrowserHelperObject Object]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
[Files/Folders - Created Within 30 days]
NY -> prunnet.exe -> %SystemRoot%\System32\prunnet.exe
[Files/Folders - Modified Within 30 days]
NY -> 54803815.sys -> %SystemRoot%\System32\drivers\54803815.sys
NY -> 22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> prunnet.exe -> %SystemRoot%\System32\prunnet.exe
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 9 C:\Documents and Settings\Josh H\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Josh H\Local Settings\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
Post that information back here.

I will review the information when it comes back in.


This came from the scan log.
Description = The device, \Device\Harddisk0\D, has a bad block.


Run disk check to fix the disk errors.
Go to Start, click on My Computer, right-click on the C: drive and select Properties.

In the Properties dialog box, click the Tools tab. In the Error-Checking section, press the Check Now button.
A Check Disk dialog box displays, as shown below.

In the Check Disk dialog box, check both of the check boxes.

Click Start.

You will see a message box that says you can schedule the disk check to start the next time you restart your computer. Click Yes. Now restart your computer, it will automatically run through a disk check before displaying your login screen. After the disk check finishes, Windows will automatically bring you to your login screen.

Note: Check Disk can take more than an hour to check and clean errors on your computer.


 

Skrimpa133

Thread Starter
Joined
Oct 8, 2008
Messages
6
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\prunnet not found.
File C:\WINDOWS\system32\prunnet.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\prunnet deleted successfully.
File C:\WINDOWS\system32\prunnet.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\mDYJOeCPZM deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B815B761-12BF-1DCB-4915-2F92A5A0DE82}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\prunnet.exe not found!
[Files/Folders - Modified Within 30 days]
File move failed. C:\WINDOWS\System32\drivers\54803815.sys scheduled to be moved on reboot.
File C:\WINDOWS\System32\prunnet.exe not found!
C:\Documents and Settings\Josh H\Local Settings\Temp\nsq87.tmp folder deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Josh H\Local Settings\Temp\etilqs_Zd3OBkw2C45Mso9L2O8a scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_65c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11222008_171645

Files moved on Reboot...
File move failed. C:\WINDOWS\System32\drivers\54803815.sys scheduled to be moved on reboot.
File C:\Documents and Settings\Josh H\Local Settings\Temp\etilqs_Zd3OBkw2C45Mso9L2O8a not found!
File C:\WINDOWS\temp\Perflib_Perfdata_65c.dat not found!
C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Josh H\Local Settings\Application Data\Mozilla\Firefox\Profiles\cry6mgef.default\urlclassifier3.sqlite moved successfully.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Please post your hijackthis log again and let me know if you are still having problems.
 

Skrimpa133

Thread Starter
Joined
Oct 8, 2008
Messages
6
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:22 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.shareazaweb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: UrlHelper Class - {cfc4f59b-a2da-4e12-b337-52a4f871e10c} - C:\Program Files\Shareaza Applications\Shareaza MediaBar\ShareazaIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Shareaza MediaBar - {196C3A46-4758-433D-A600-802C804AF39C} - C:\Program Files\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\DOCUME~1\JOSHH~1\LOCALS~1\Temp\E_SEC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223415927046
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ThreatFire (threatfire) - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8895 bytes
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Looks fine.

Download OTCleanIt. Save this application on your desktop. Once downloaded Double click on the OTCleanIt.exe. This should remove most malware tools you downloaded. A restart will be required.


It's a good idea to Flush your System Restore after removing malware:
Turn off system restore, restart the machine and then turn it back on: http://support.microsoft.com/kb/310405
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top