 |  |  |  |  |  |  |  |
ctfmona.exe
 |
I cleaned hundreds of nasties on this thing so far. (co workers son's laptop) I noticed that ctfmona.exe was running, so did a search and ran across this site. I did the combofix after running a scan with avg. So hopefully I am following procedure and am posting the contents of the combofix log below. Please let me know if it looks like all is good. Thanks.
ComboFix 08-05-01.3 - delete 2008-05-03 21:34:48.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.154 [GMT -7:00]
Running from: C:\Documents and Settings\delete\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\Jeff Griffin\Start Menu\Programs\MalwareAlarm
C:\Documents and Settings\Jeff Griffin\Start Menu\Programs\MalwareAlarm\MalwareAlarm.lnk
C:\Documents and Settings\Jeff Griffin\Start Menu\Programs\MalwareAlarm\Uninstall.lnk
C:\Program Files\License_Manager
C:\Program Files\popcorn Terms.html
C:\WINDOWS\BM313e2b3d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\msacm32.drv
C:\WINDOWS\nivavir.config
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afcuickq.ini
C:\WINDOWS\system32\bipcudec.ini
C:\WINDOWS\system32\cigdysej.ini
C:\WINDOWS\system32\ckyrymlw.ini
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\dbutlwdd.ini
C:\WINDOWS\system32\dwgghsrj.ini
C:\WINDOWS\system32\egfjfnkb.ini
C:\WINDOWS\system32\etupkleg.ini
C:\WINDOWS\system32\fdmsxysi.ini
C:\WINDOWS\system32\fldlfhwu.ini
C:\WINDOWS\system32\jmmdfqxk.ini
C:\WINDOWS\system32\koywkvfm.ini
C:\WINDOWS\system32\levexguy.ini
C:\WINDOWS\system32\matgbbgk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfmicemf.ini
C:\WINDOWS\system32\nefxibrq.ini
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.bak2
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.tmp
C:\WINDOWS\system32\opfitrtd.ini
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\orfrvnac.ini
C:\WINDOWS\system32\pghianhf.ini
C:\WINDOWS\system32\piagjfsm.ini
C:\WINDOWS\system32\pnewdiji.ini
C:\WINDOWS\system32\pytdcinq.ini
C:\WINDOWS\system32\qjebrerl.ini
C:\WINDOWS\system32\rdwkddbn.ini
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\sibhuqtc.ini
C:\WINDOWS\system32\sljvrrbd.ini
C:\WINDOWS\system32\smerchab.ini
C:\WINDOWS\system32\sssnbfao.ini
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tnrsspaa.ini
C:\WINDOWS\system32\ttfxcnda.ini
C:\WINDOWS\system32\ujqecogg.ini
C:\WINDOWS\system32\vrmfeopk.ini
C:\WINDOWS\system32\vuinurqv.ini
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wnmodupa.ini
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wwefgfrh.ini
C:\WINDOWS\system32\xlhipnlq.ini
C:\WINDOWS\system32\xsrkefnf.ini
C:\WINDOWS\system32\ylwulkvt.ini
C:\WINDOWS\system32\yovyegdx.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.
2008-05-03 21:31 . 2008-05-03 21:31 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-05-03 21:30 . 2008-05-03 21:30 <DIR> d-------- C:\Documents and Settings\delete\Application Data\Apple Computer
2008-05-03 20:39 . 2008-05-03 20:39 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-03 20:27 . 2008-03-01 06:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-03 20:27 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-03 20:27 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-03 20:27 . 2008-03-01 06:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-03 20:27 . 2008-03-01 06:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-03 20:27 . 2008-03-01 06:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-03 20:27 . 2008-03-01 06:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-03 20:27 . 2008-03-01 06:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-03 20:27 . 2008-02-22 03:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-03 20:19 . 2008-05-03 20:19 7,412 --a------ C:\WINDOWS\SEC988.PNF
2008-05-03 20:13 . 2008-05-03 20:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-03 20:13 . 2008-05-03 20:13 2,948 --a------ C:\WINDOWS\SEC84.PNF
2008-05-03 20:12 . 2008-05-03 20:12 <DIR> d-------- C:\WINDOWS\EHome
2008-05-03 19:57 . 2008-05-03 19:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-03 19:57 . 2008-05-03 19:57 <DIR> d-------- C:\Program Files\AVG
2008-05-03 19:57 . 2008-05-03 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-03 19:57 . 2008-05-03 19:57 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-03 19:57 . 2008-05-03 19:57 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-03 19:57 . 2008-05-03 19:57 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-03 19:32 . 2008-05-03 19:32 <DIR> d-------- C:\Documents and Settings\delete
2008-05-03 19:32 . 2008-05-03 21:39 114,688 --ah----- C:\Documents and Settings\delete\ntuser.dat.LOG
2008-05-02 09:12 . 2008-05-02 09:12 <DIR> d-------- C:\WINDOWS\system32\1033
2008-05-02 09:12 . 2008-05-02 09:12 <DIR> d--hs---- C:\FOUND.000
2008-05-01 15:37 . 2008-05-01 15:37 36 --a------ C:\WINDOWS\rasqervy.dll
2008-05-01 15:37 . 2008-05-01 15:37 8 --a------ C:\WINDOWS\sdfinacs.dll
2008-05-01 15:37 . 2008-05-01 15:37 0 --a------ C:\WINDOWS\hidrwupd.dll
2008-05-01 15:31 . 2008-05-01 15:31 <DIR> d-------- C:\Documents and Settings\Kathie Griffin\Application Data\AVGTOOLBAR
2008-05-01 15:18 . 2008-04-28 17:00 47,787,248 --a------ C:\avg_free_stf_en_8_100a1295.exe
2008-05-01 15:16 . 2008-05-01 15:16 <DIR> d-------- C:\Documents and Settings\Kathie Griffin\Application Data\Apple Computer
2008-05-01 14:34 . 2008-05-03 21:28 5 --a------ C:\WINDOWS\sdfixwcs.dll
2008-04-28 12:13 . 2008-05-03 21:28 139 --a------ C:\WINDOWS\wuasirvy.dll
2008-04-26 01:50 . 2008-05-01 15:29 1,482,705 ---hs---- C:\WINDOWS\system32\0793F00c__.ini
2008-04-26 01:49 . 2008-04-26 01:49 0 --a------ C:\WINDOWS\system32\perfn2872.dat
2008-04-24 12:41 . 2008-04-24 12:41 40,960 --a------ C:\WINDOWS\system32\clbdll.old
2008-04-24 12:41 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-24 12:41 . 2008-04-28 12:12 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-23 13:15 . 2008-04-23 13:15 <DIR> d-------- C:\WINDOWS\system32\Client
2008-04-22 17:28 . 2008-04-24 13:14 1,541,144 ---hs---- C:\WINDOWS\system32\40DA600c__.ini
2008-04-11 19:59 . 2008-04-11 19:59 1,219,418 --a------ C:\Documents and Settings\Jeff Griffin\Application Data\Install.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 22:53 90,112 ----a-w C:\WINDOWS\DUMP6be9.tmp
2008-05-01 22:51 90,112 ----a-w C:\WINDOWS\DUMP60bd.tmp
2008-05-01 22:36 90,112 ----a-w C:\WINDOWS\DUMP6215.tmp
2008-04-01 06:16 --------- d-----w C:\Program Files\Safari
2008-04-01 06:10 --------- d-----w C:\Program Files\iPod
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 02:08 --------- d-----w C:\Documents and Settings\Kelli Dimoree\Application Data\Yahoo!
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 08:59 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-02-16 08:59 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-02-16 08:59 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-02-16 08:59 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-02-16 08:59 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2004-08-04 12:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E86EFAF-547C-4004-B614-4C11B1A2D76F}]
C:\WINDOWS\system32\cmpbk3.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E9F39F8-40EE-4dd2-A439-2A90224E5DB5}]
1980-01-01 00:00 36864 --a------ C:\WINDOWS\system32\prxsmr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1CF94CD-6DF7-495C-8FCC-0D2C6DB7ED45}]
C:\WINDOWS\system32\vtsqo.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAD1C6AD-10AB-4cae-97FB-0AADDEC8A14B}]
1980-01-01 00:00 37376 --a------ C:\WINDOWS\system32\hmlphl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7950236-04AB-469E-8DE5-EF6A5C6AB7FD}]
C:\WINDOWS\system32\awvvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [ ]
[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-03 19:57 1177368]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 13:44 128648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
C:\WINDOWS\system32\awtqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwutu]
cbxwutu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuroli]
wvuroli.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B31FD]
C:\WINDOWS\system32\__c00B31FD.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00CDC0E]
C:\WINDOWS\system32\__c00CDC0E.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bfi46.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chl47.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Kathie Griffin\cftmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2005-06-29 17:26 352256 C:\Program Files\Acer\eRecovery\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2005-03-04 13:13 32768 C:\WINDOWS\system32\keyhook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
--a------ 2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-07 23:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-07 23:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\Explorer.EXE"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-03 19:57]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-03 19:57]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-03 19:57]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-03 19:57]
R2 int15.sys;int15.sys;C:\Program Files\Acer\eRecovery\int15.sys [2005-01-13 14:46]
R2 VISSV;VISSV;C:\WINDOWS\system32\drivers\smccs.sys [1980-01-01 00:00]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43]
S0 Bfi46;Bfi46;C:\WINDOWS\system32\Drivers\Bfi46.sys []
S0 Chl47;Chl47;C:\WINDOWS\system32\Drivers\Chl47.sys []
S0 pmpbwnuh;pmpbwnuh;C:\WINDOWS\system32\drivers\vtjqpiic.dat []
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basenssg32.dll
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 17:30:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 21:39:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmpbwnuh]
"ImagePath"="system32\drivers\vtjqpiic.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basenssg32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-03 21:41:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 04:41:30
Pre-Run: 15,088,779,264 bytes free
Post-Run: 15,192,637,440 bytes free
282 --- E O F --- 2008-05-04 03:31:59
ComboFix 08-05-01.3 - delete 2008-05-03 21:34:48.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.154 [GMT -7:00]
Running from: C:\Documents and Settings\delete\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\Jeff Griffin\Start Menu\Programs\MalwareAlarm
C:\Documents and Settings\Jeff Griffin\Start Menu\Programs\MalwareAlarm\MalwareAlarm.lnk
C:\Documents and Settings\Jeff Griffin\Start Menu\Programs\MalwareAlarm\Uninstall.lnk
C:\Program Files\License_Manager
C:\Program Files\popcorn Terms.html
C:\WINDOWS\BM313e2b3d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\msacm32.drv
C:\WINDOWS\nivavir.config
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afcuickq.ini
C:\WINDOWS\system32\bipcudec.ini
C:\WINDOWS\system32\cigdysej.ini
C:\WINDOWS\system32\ckyrymlw.ini
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\dbutlwdd.ini
C:\WINDOWS\system32\dwgghsrj.ini
C:\WINDOWS\system32\egfjfnkb.ini
C:\WINDOWS\system32\etupkleg.ini
C:\WINDOWS\system32\fdmsxysi.ini
C:\WINDOWS\system32\fldlfhwu.ini
C:\WINDOWS\system32\jmmdfqxk.ini
C:\WINDOWS\system32\koywkvfm.ini
C:\WINDOWS\system32\levexguy.ini
C:\WINDOWS\system32\matgbbgk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfmicemf.ini
C:\WINDOWS\system32\nefxibrq.ini
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.bak2
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.tmp
C:\WINDOWS\system32\opfitrtd.ini
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\orfrvnac.ini
C:\WINDOWS\system32\pghianhf.ini
C:\WINDOWS\system32\piagjfsm.ini
C:\WINDOWS\system32\pnewdiji.ini
C:\WINDOWS\system32\pytdcinq.ini
C:\WINDOWS\system32\qjebrerl.ini
C:\WINDOWS\system32\rdwkddbn.ini
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\sibhuqtc.ini
C:\WINDOWS\system32\sljvrrbd.ini
C:\WINDOWS\system32\smerchab.ini
C:\WINDOWS\system32\sssnbfao.ini
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tnrsspaa.ini
C:\WINDOWS\system32\ttfxcnda.ini
C:\WINDOWS\system32\ujqecogg.ini
C:\WINDOWS\system32\vrmfeopk.ini
C:\WINDOWS\system32\vuinurqv.ini
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wnmodupa.ini
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wwefgfrh.ini
C:\WINDOWS\system32\xlhipnlq.ini
C:\WINDOWS\system32\xsrkefnf.ini
C:\WINDOWS\system32\ylwulkvt.ini
C:\WINDOWS\system32\yovyegdx.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.
2008-05-03 21:31 . 2008-05-03 21:31 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-05-03 21:30 . 2008-05-03 21:30 <DIR> d-------- C:\Documents and Settings\delete\Application Data\Apple Computer
2008-05-03 20:39 . 2008-05-03 20:39 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-03 20:27 . 2008-03-01 06:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-03 20:27 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-03 20:27 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-03 20:27 . 2008-03-01 06:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-03 20:27 . 2008-03-01 06:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-03 20:27 . 2008-03-01 06:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-03 20:27 . 2008-03-01 06:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-03 20:27 . 2008-03-01 06:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-03 20:27 . 2008-02-22 03:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-03 20:19 . 2008-05-03 20:19 7,412 --a------ C:\WINDOWS\SEC988.PNF
2008-05-03 20:13 . 2008-05-03 20:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-03 20:13 . 2008-05-03 20:13 2,948 --a------ C:\WINDOWS\SEC84.PNF
2008-05-03 20:12 . 2008-05-03 20:12 <DIR> d-------- C:\WINDOWS\EHome
2008-05-03 19:57 . 2008-05-03 19:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-03 19:57 . 2008-05-03 19:57 <DIR> d-------- C:\Program Files\AVG
2008-05-03 19:57 . 2008-05-03 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-03 19:57 . 2008-05-03 19:57 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-03 19:57 . 2008-05-03 19:57 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-03 19:57 . 2008-05-03 19:57 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-03 19:32 . 2008-05-03 19:32 <DIR> d-------- C:\Documents and Settings\delete
2008-05-03 19:32 . 2008-05-03 21:39 114,688 --ah----- C:\Documents and Settings\delete\ntuser.dat.LOG
2008-05-02 09:12 . 2008-05-02 09:12 <DIR> d-------- C:\WINDOWS\system32\1033
2008-05-02 09:12 . 2008-05-02 09:12 <DIR> d--hs---- C:\FOUND.000
2008-05-01 15:37 . 2008-05-01 15:37 36 --a------ C:\WINDOWS\rasqervy.dll
2008-05-01 15:37 . 2008-05-01 15:37 8 --a------ C:\WINDOWS\sdfinacs.dll
2008-05-01 15:37 . 2008-05-01 15:37 0 --a------ C:\WINDOWS\hidrwupd.dll
2008-05-01 15:31 . 2008-05-01 15:31 <DIR> d-------- C:\Documents and Settings\Kathie Griffin\Application Data\AVGTOOLBAR
2008-05-01 15:18 . 2008-04-28 17:00 47,787,248 --a------ C:\avg_free_stf_en_8_100a1295.exe
2008-05-01 15:16 . 2008-05-01 15:16 <DIR> d-------- C:\Documents and Settings\Kathie Griffin\Application Data\Apple Computer
2008-05-01 14:34 . 2008-05-03 21:28 5 --a------ C:\WINDOWS\sdfixwcs.dll
2008-04-28 12:13 . 2008-05-03 21:28 139 --a------ C:\WINDOWS\wuasirvy.dll
2008-04-26 01:50 . 2008-05-01 15:29 1,482,705 ---hs---- C:\WINDOWS\system32\0793F00c__.ini
2008-04-26 01:49 . 2008-04-26 01:49 0 --a------ C:\WINDOWS\system32\perfn2872.dat
2008-04-24 12:41 . 2008-04-24 12:41 40,960 --a------ C:\WINDOWS\system32\clbdll.old
2008-04-24 12:41 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-24 12:41 . 2008-04-28 12:12 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-23 13:15 . 2008-04-23 13:15 <DIR> d-------- C:\WINDOWS\system32\Client
2008-04-22 17:28 . 2008-04-24 13:14 1,541,144 ---hs---- C:\WINDOWS\system32\40DA600c__.ini
2008-04-11 19:59 . 2008-04-11 19:59 1,219,418 --a------ C:\Documents and Settings\Jeff Griffin\Application Data\Install.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 22:53 90,112 ----a-w C:\WINDOWS\DUMP6be9.tmp
2008-05-01 22:51 90,112 ----a-w C:\WINDOWS\DUMP60bd.tmp
2008-05-01 22:36 90,112 ----a-w C:\WINDOWS\DUMP6215.tmp
2008-04-01 06:16 --------- d-----w C:\Program Files\Safari
2008-04-01 06:10 --------- d-----w C:\Program Files\iPod
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 02:08 --------- d-----w C:\Documents and Settings\Kelli Dimoree\Application Data\Yahoo!
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 08:59 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-02-16 08:59 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-02-16 08:59 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-02-16 08:59 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-02-16 08:59 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2004-08-04 12:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E86EFAF-547C-4004-B614-4C11B1A2D76F}]
C:\WINDOWS\system32\cmpbk3.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E9F39F8-40EE-4dd2-A439-2A90224E5DB5}]
1980-01-01 00:00 36864 --a------ C:\WINDOWS\system32\prxsmr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1CF94CD-6DF7-495C-8FCC-0D2C6DB7ED45}]
C:\WINDOWS\system32\vtsqo.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAD1C6AD-10AB-4cae-97FB-0AADDEC8A14B}]
1980-01-01 00:00 37376 --a------ C:\WINDOWS\system32\hmlphl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7950236-04AB-469E-8DE5-EF6A5C6AB7FD}]
C:\WINDOWS\system32\awvvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [ ]
[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-03 19:57 1177368]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 13:44 128648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
C:\WINDOWS\system32\awtqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwutu]
cbxwutu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuroli]
wvuroli.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B31FD]
C:\WINDOWS\system32\__c00B31FD.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00CDC0E]
C:\WINDOWS\system32\__c00CDC0E.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bfi46.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chl47.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Kathie Griffin\cftmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2005-06-29 17:26 352256 C:\Program Files\Acer\eRecovery\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2005-03-04 13:13 32768 C:\WINDOWS\system32\keyhook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
--a------ 2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-07 23:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-07 23:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\Explorer.EXE"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-03 19:57]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-03 19:57]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-03 19:57]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-03 19:57]
R2 int15.sys;int15.sys;C:\Program Files\Acer\eRecovery\int15.sys [2005-01-13 14:46]
R2 VISSV;VISSV;C:\WINDOWS\system32\drivers\smccs.sys [1980-01-01 00:00]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43]
S0 Bfi46;Bfi46;C:\WINDOWS\system32\Drivers\Bfi46.sys []
S0 Chl47;Chl47;C:\WINDOWS\system32\Drivers\Chl47.sys []
S0 pmpbwnuh;pmpbwnuh;C:\WINDOWS\system32\drivers\vtjqpiic.dat []
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basenssg32.dll
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 17:30:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 21:39:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmpbwnuh]
"ImagePath"="system32\drivers\vtjqpiic.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basenssg32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-03 21:41:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 04:41:30
Pre-Run: 15,088,779,264 bytes free
Post-Run: 15,192,637,440 bytes free
282 --- E O F --- 2008-05-04 03:31:59
•
•
Join Date: Aug 2006
Posts: 257
Reputation: 
Solved Threads: 22
Posting Whiz in Training
OK good!
Now send me a HJT file so i can see whats still running.
Download a copy of HijackThis and save it to your desktop in a folder.
Do a scan and save the HijackThis logfile. Do not remove anything.
Post your log file here. Link to HijackThis:
http://www.majorgeeks.com/Trend_Micr...his_d5554.html
Now send me a HJT file so i can see whats still running.
Download a copy of HijackThis and save it to your desktop in a folder.
Do a scan and save the HijackThis logfile. Do not remove anything.
Post your log file here. Link to HijackThis:
http://www.majorgeeks.com/Trend_Micr...his_d5554.html
•
•
•
•
Originally Posted by digitalocksmith 
OK good!
Now send me a HJT file so i can see whats still running.
Download a copy of HijackThis and save it to your desktop in a folder.
Do a scan and save the HijackThis logfile. Do not remove anything.
Post your log file here. Link to HijackThis:
http://www.majorgeeks.com/Trend_Micr...his_d5554.html
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:31 AM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\common\yiesrvc.dll
O2 - BHO: (no name) - {6E86EFAF-547C-4004-B614-4C11B1A2D76F} - C:\WINDOWS\system32\cmpbk3.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: HujApp Class - {8E9F39F8-40EE-4dd2-A439-2A90224E5DB5} - C:\WINDOWS\system32\prxsmr.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: (no name) - {A1CF94CD-6DF7-495C-8FCC-0D2C6DB7ED45} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: BhoApp Class - {AAD1C6AD-10AB-4cae-97FB-0AADDEC8A14B} - C:\WINDOWS\system32\hmlphl.dll
O2 - BHO: (no name) - {B7950236-04AB-469E-8DE5-EF6A5C6AB7FD} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [LiveAntispy] C:\Program Files\LiveAntispy\LiveAntispy.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Jeff Griffin\cftmon.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\DOCUME~1\JEFFGR~1\LOCALS~1\Temp\65BB.tmp.exe
O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZHYYYYYYYYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: cbxwutu - cbxwutu.dll (file missing)
O20 - Winlogon Notify: wvuroli - wvuroli.dll (file missing)
O20 - Winlogon Notify: __c00B31FD - C:\WINDOWS\system32\__c00B31FD.dat (file missing)
O20 - Winlogon Notify: __c00CDC0E - C:\WINDOWS\system32\__c00CDC0E.dat (file missing)
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 8395 bytes
•
•
Join Date: Aug 2006
Posts: 257
Reputation:
Solved Threads: 22
Posting Whiz in Training
I see multiple infections gibbygoo!
Print out or copy this page to Notepad since you will CAN NOT have any of browsers open while you are fixing this and try to follow it as closely as possible taking it STEP by STEP.
Update your AVG Antivirus program,
Download Spybot Search and Destroy install it and UPDATE the program (Don’t run it yet).
http://www.safer-networking.org/en/mirrors/index.html
Download VundoFix.exe to your desktop. Ignore the AntiVirus warnings and download it anyway because you need to run it.... Wait on installation and running.
http://www.atribune.org/ccount/click.php?id=4
Download CleanUp and install it. Wait on installation and running.
http://www.stevengould.org/downloads...CleanUp452.exe
Download following program CWSHREDDER. Wait on installation and running
http://www.trendmicro.com/ftp/produc...cwshredder.exe
Download About:Buster and save it to your desktop. When it has finished downloading, unzip the folder to your desktop as well. You should now be left with an aboutbuster folder on your desktop.Wait on installation and running.
http://www.malwarebytes.org/AboutBuster.zip
I would also recommentd that you download CCleaner. It is a great little program that I use every time I close my browser to get rid of temporary files. I usually just run the cleaner part every time I'm done with the browser.During the install there will be check marks for checking for updates which you should do.....Dont install the toolbars unless you want them so you can uncheck these boxes.
It is a very safe program and it is free.(CCleaner Quick Setup: Go to > Options > Advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours" as this will help in cleaning malware that may be hiding in your temp files etc)
http://www.ccleaner.com/
_______________________________________________________________________
Now make sure no OS files are hidden.
To do this:
For XP go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
For Vista go to the Control Panel->Appearance and Personalization
Under the Folder Options, click Show Hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
You may change the above options back after your log is clean.
Turn off system restore.
Steps to turn off System Restore for XP
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.
Steps to turn off System Restore for Vista:
1. Control Panel -> System Maintenance -> Back Up and Restore Center
2. On the right column, click on "create a restore point or change settings" (this requires administrator's password if set)
3. Uncheck all drives.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.
Do all steps below in safe mode except for at the end when you generate a new HiJackThis log
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (Repeatedly).
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
Please right click the HiJackThis.exe file that you run to do a scan, and rename it to Digitalfix.exe. Run Digitalfix.exe and click "Scan". Place checks next to the following entries if still present in the code and close all browser and other windows except for HijackThis, and click "Fix Checked". (We rename the HiJackThis executable because some forms of malware are capable of hiding themselves when they see it).
Run your AVG Antivirus and do a full scan.....Remember this is all in safe mode.
Run Spybot Search and Destroy and do a full scan remember this is all in safe mode.
Open Cleanup by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Only Check the following for now:
-Empty Recycle Bins
-Delete Cookies
-Delete Prefetch Files
-Clean up All Users
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
*Press the Temporary Files Tab and check.
-Scan drives for files matching
Click OK
Press the CleanUp button to start the program. Reboot/logoff when prompted.
Note: CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup or MOVE THEM out of the Temp folder before running CleanUp
If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.
Install and run CWSHREDDER
Close all browser windows, open cwshredder.exe then click "Fix" and let it run.
Double-click on the AbouBuster.exe icon.
Click Begin scan. Close when completed.
It is advised that you run the AboutBuster twice in a row to make sure you get all the infections.
_____________________________________________________________
NOTE For AboutBuster: If you recieve the error"Run-time error '339': Component 'comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid".
Download and run this file http://www.spywareinfo.com/downloads...gfilesetup.exe ____________________________________________________________
Double-click VundoFix.exe to run it(Do this a few times until nothing shows up)
Then install CCleaner but note it installs the Yahoo Toolbar as an option which IS check marked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option.
Before first use, select Options > Advanced and UNCHECK 'Only delete files in Windows Temp folder older than 48 hours'
Then select the items you wish to clean up.
In the Windows Tab:
* Clean all entries in the "Internet Explorer" section except Cookies.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.
In the Applications Tab:
* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.
Click the "Run Cleaner" button.
A pop-up box will appear advising this process will permanently delete files from your system.
Click "OK" and it will scan and clean your system.
Click the "Issues" button.
Click the "Scan For Issues" button.
Click the "Fix Selected Issues" button.
Click the "Fix All Selected Issues" button.
Click "OK"
Click "Close" when done.
REBOOT in normal mode and turn on System Restore.
Steps to turn on System Restore For XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.
After a few moments, the System Properties dialog box closes.
To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.
In the System Restore wizard, select Create a restore point and click the Next button.
Type a name for your new restore point then click on Create.
To create a Restore point for Vista:
1.Control Panel – System Maintenance – Back Up and Restore Center. On the right column, click on "Create A Restore Point Or Change Settings" (This requires Administrator's password if set.) Put a check on the drive your OS is on. Then click on the Create button. Type in a name and then click OK.
Do another scan with Digitalfix.exe in normal windows mode and post your new log file here for final verification. Make sure it is a new log file.
Also let us know how the systems overall condition is now.
Print out or copy this page to Notepad since you will CAN NOT have any of browsers open while you are fixing this and try to follow it as closely as possible taking it STEP by STEP.
Update your AVG Antivirus program,
Download Spybot Search and Destroy install it and UPDATE the program (Don’t run it yet).
http://www.safer-networking.org/en/mirrors/index.html
Download VundoFix.exe to your desktop. Ignore the AntiVirus warnings and download it anyway because you need to run it.... Wait on installation and running.
http://www.atribune.org/ccount/click.php?id=4
Download CleanUp and install it. Wait on installation and running.
http://www.stevengould.org/downloads...CleanUp452.exe
Download following program CWSHREDDER. Wait on installation and running
http://www.trendmicro.com/ftp/produc...cwshredder.exe
Download About:Buster and save it to your desktop. When it has finished downloading, unzip the folder to your desktop as well. You should now be left with an aboutbuster folder on your desktop.Wait on installation and running.
http://www.malwarebytes.org/AboutBuster.zip
I would also recommentd that you download CCleaner. It is a great little program that I use every time I close my browser to get rid of temporary files. I usually just run the cleaner part every time I'm done with the browser.During the install there will be check marks for checking for updates which you should do.....Dont install the toolbars unless you want them so you can uncheck these boxes.
It is a very safe program and it is free.(CCleaner Quick Setup: Go to > Options > Advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours" as this will help in cleaning malware that may be hiding in your temp files etc)
http://www.ccleaner.com/
_______________________________________________________________________
Now make sure no OS files are hidden.
To do this:
For XP go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
For Vista go to the Control Panel->Appearance and Personalization
Under the Folder Options, click Show Hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
You may change the above options back after your log is clean.
Turn off system restore.
Steps to turn off System Restore for XP
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.
Steps to turn off System Restore for Vista:
1. Control Panel -> System Maintenance -> Back Up and Restore Center
2. On the right column, click on "create a restore point or change settings" (this requires administrator's password if set)
3. Uncheck all drives.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.
Do all steps below in safe mode except for at the end when you generate a new HiJackThis log
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (Repeatedly).
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
Please right click the HiJackThis.exe file that you run to do a scan, and rename it to Digitalfix.exe. Run Digitalfix.exe and click "Scan". Place checks next to the following entries if still present in the code and close all browser and other windows except for HijackThis, and click "Fix Checked". (We rename the HiJackThis executable because some forms of malware are capable of hiding themselves when they see it).
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {6E86EFAF-547C-4004-B614-4C11B1A2D76F} - C:\WINDOWS\system32\cmpbk3.dll (file missing)
O2 - BHO: HujApp Class - {8E9F39F8-40EE-4dd2-A439-2A90224E5DB5} - C:\WINDOWS\system32\prxsmr.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: (no name) - {A1CF94CD-6DF7-495C-8FCC-0D2C6DB7ED45} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {B7950236-04AB-469E-8DE5-EF6A5C6AB7FD} - C:\WINDOWS\system32\awvvw.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Jeff Griffin\cftmon.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\DOCUME~1\JEFFGR~1\LOCALS~1\Temp\65BB.tmp.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZHYYYYYYYYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: cbxwutu - cbxwutu.dll (file missing)
O20 - Winlogon Notify: wvuroli - wvuroli.dll (file missing)
O20 - Winlogon Notify: __c00B31FD - C:\WINDOWS\system32\__c00B31FD.dat (file missing)
O20 - Winlogon Notify: __c00CDC0E - C:\WINDOWS\system32\__c00CDC0E.dat (file missing)Run your AVG Antivirus and do a full scan.....Remember this is all in safe mode.
Run Spybot Search and Destroy and do a full scan remember this is all in safe mode.
Open Cleanup by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Only Check the following for now:
-Empty Recycle Bins
-Delete Cookies
-Delete Prefetch Files
-Clean up All Users
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
*Press the Temporary Files Tab and check.
-Scan drives for files matching
Click OK
Press the CleanUp button to start the program. Reboot/logoff when prompted.
Note: CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup or MOVE THEM out of the Temp folder before running CleanUp
If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.
Install and run CWSHREDDER
Close all browser windows, open cwshredder.exe then click "Fix" and let it run.
Double-click on the AbouBuster.exe icon.
Click Begin scan. Close when completed.
It is advised that you run the AboutBuster twice in a row to make sure you get all the infections.
_____________________________________________________________
NOTE For AboutBuster: If you recieve the error"Run-time error '339': Component 'comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid".
Download and run this file http://www.spywareinfo.com/downloads...gfilesetup.exe ____________________________________________________________
Double-click VundoFix.exe to run it(Do this a few times until nothing shows up)
Then install CCleaner but note it installs the Yahoo Toolbar as an option which IS check marked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option.
Before first use, select Options > Advanced and UNCHECK 'Only delete files in Windows Temp folder older than 48 hours'
Then select the items you wish to clean up.
In the Windows Tab:
* Clean all entries in the "Internet Explorer" section except Cookies.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.
In the Applications Tab:
* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.
Click the "Run Cleaner" button.
A pop-up box will appear advising this process will permanently delete files from your system.
Click "OK" and it will scan and clean your system.
Click the "Issues" button.
Click the "Scan For Issues" button.
Click the "Fix Selected Issues" button.
Click the "Fix All Selected Issues" button.
Click "OK"
Click "Close" when done.
REBOOT in normal mode and turn on System Restore.
Steps to turn on System Restore For XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.
After a few moments, the System Properties dialog box closes.
To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.
In the System Restore wizard, select Create a restore point and click the Next button.
Type a name for your new restore point then click on Create.
To create a Restore point for Vista:
1.Control Panel – System Maintenance – Back Up and Restore Center. On the right column, click on "Create A Restore Point Or Change Settings" (This requires Administrator's password if set.) Put a check on the drive your OS is on. Then click on the Create button. Type in a name and then click OK.
Do another scan with Digitalfix.exe in normal windows mode and post your new log file here for final verification. Make sure it is a new log file.
Also let us know how the systems overall condition is now.
Thanks. Doing this now. I hope to be done in an hour. I'm an IT professional and usually charge $70 an hour and have a few hours into this already. I'm going to have to do a flat fee though, other wise it would be half the cost of a new laptop.
•
•
Join Date: Feb 2004
Posts: 10,028
Reputation: 
Solved Threads: 760
You do not need to run CWShredder nor about buster. You are just wasting your time there. Do NOT turn off system restore as a bad restore point is better than no restore point if things go south.
Next time you save a log in notepad, go to the format tab and make sure wordwrap is unchecked.
==
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
Next time you save a log in notepad, go to the format tab and make sure wordwrap is unchecked.
==
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually; - Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract
All, - Open the extracted folder and double click RunThis.bat to
start the script. - Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot. - Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool
will be running and removing files. - When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons. - Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- ctfmona.exe (Viruses, Spyware and other Nasties)
- I seem to have a bunch of infections...arghhh (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: PLEASE HELP ME, the spyware with white cross in red circle
- Next Thread: recent internet problems
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm zeroday
