Multiple Issues - Possible Malware[RESOLVED]


Recommended Posts

I have multiple issues, but they all probably same from the same thing.

I run Ad-Aware and Spybot to check for viruses.

I run Spybot and Securemaker in the background to check in real-time for viruses

Additionally, there is a firewall on the router I use.

Issue 1:

Both Securemaker and Spybot are flagging up attempts from "LSA Shellu" to program the startup Path. Spybot gave me the "path" as

C:\Documents and Settings\Will Barry\Lsass.exe

(Will Barry is me, btw)

I keep rejecting these but whatever is doing it is being persistent. I went into the folder and found a suspicious exe file called "services.exe", which I promptly deleted. Still the 2 programs keep flagging-up these attempts to add the startup value.

Issue 2:

Securemaker has flagged up an attempt by a program to download a file from http://members.chellu.hu/. I could give the exact address if I need to, but I would have to restart my computer. The file has .png on the end of it, not .exe.

Issue 3:

I have a warning box

|title| 16 bit MS-DOS subsystem |/title|
C:\DOCUME~1\WILLBA~1\serices.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0710 IP011f OP:63 65 64 20 62 Choose 'close' to terminate the application

There are two options: "Close" and "Ignore".

Issue 4:

I have had blue screen of death 3 times recently

Should I download and run HijackThis (is that the name?) and put the list here?

Link to post
Share on other sites

Welcome to Besttechie! I'm Ryan, and I'll be helping you clean your computer.

Let's do this before getting a HiJack This log, since it's what I'd probably have you do after I looked at the log.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply, and include a HiJack This log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

-Ryan

Link to post
Share on other sites

Excellent. It appears to have found what Spybot and Ad-Aware could not. Is this program better or should I use it in conjunction with the others?

Malwarebytes' Anti-Malware 1.11
Database version: 602

Scan type: Quick Scan
Objects scanned: 40442
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\Will Barry\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSA Shellu (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Will Barry\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will Barry\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06:38, on 08/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\SECUREMAKER\smdefrag.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SECUREMAKER\SecureMaker.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RealPlayer.exe
O4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 7643 bytes

Thank you!

Edited by ddeeff
Link to post
Share on other sites

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

-Ryan

Link to post
Share on other sites

ok. Here is report.txt

[b]SDFix: Version 1.167 [/b]
Run by Administrator on 09/04/2008 at 00:06

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



[b]Final Check [/b]:

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 00:12:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 275


[b]Remaining Services [/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"="C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"="C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\My Downloads\\bgb_1.2\\bgb.exe"="C:\\My Downloads\\bgb_1.2\\bgb.exe:*:Enabled:bgb"
"J:\\Program Files\\mIRC\\mirc.exe"="J:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 13 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT1D.tmp"
Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT1E.tmp"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

[b]Finished![/b]

After this came up, spybot prompted me to accept the deletion of "LSA Shellu" from the startup list. I of course accepted.

Then I ran HiJack This.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:22:29, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\SECUREMAKER\smdefrag.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SECUREMAKER\SecureMaker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RealPlayer.exe
O4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 7329 bytes

Thanks again. Should I restart now to check that it has worked?

Link to post
Share on other sites

Yes, restart, then do the following:

== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Close all Internet Explorer, Firefox, and Opera windows before continuing.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

== Clear System Restore==

Let's make a new restore point and clear the others:

  • Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
    Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer

== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner

You will need to use Internet Explorer to do this

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

== Request Logs ==

Please post the log from the Kaspersky scan, along with an uninstall list

To obtain an Uninstall list.

  • Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)

-Ryan

Link to post
Share on other sites

Here is the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 10:08:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 691309
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
M:\

Scan Statistics:
Total number of scanned objects: 249857
Number of viruses found: 11
Number of infected objects: 22
Number of suspicious objects: 8
Duration of the scan process: 01:50:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Will Barry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.42160 Infected: Trojan.Win32.VB.cng skipped
C:\Documents and Settings\Will Barry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.53486 Infected: Trojan.Win32.VB.cng skipped
C:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\cert8.db Object is locked skipped
C:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\history.dat Object is locked skipped
C:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\key3.db Object is locked skipped
C:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\parent.lock Object is locked skipped
C:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\tidy\spvalid.err Object is locked skipped
C:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Will Barry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbdam Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbdao Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbeam Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbeao Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbm Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\fii.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\hp Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Temp\~DFC3AA.tmp Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Temp\~DFED6D.tmp Object is locked skipped
C:\Documents and Settings\Will Barry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Will Barry\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Will Barry\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\WillsComputer.err Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP139\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\John System\Local Settings\Temp\__unin__.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/02 Dec 2004 08:51 from Barclays IBank:Barclays IBank info [Thu, .rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/25 Nov 2004 16:14 from Halifax:Halifax Internet banking Informs .rtf Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/23 Nov 2004 09:28 from Lloyds TSB:! Lloyds TSB updates [Tue, 23 .rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/19 Nov 2004 11:07 from [email protected]:FwD: Oh God it's/oh_nono.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/19 Nov 2004 11:07 from [email protected]:FwD: Oh God it's/oh_nono.zip Infected: Email-Worm.Win32.Sober.i skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/17 Nov 2004 08:23 from Natwest:Attention all Natwest Bank users!.rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/15 Nov 2004 07:42 from Barclays IBank:!0fficiaI Notice for aII B.rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/12 Nov 2004 09:44 from Washington Mutual:Official Information To.rtf Infected: Trojan-Spy.HTML.Bankfraud.w skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/09 Nov 2004 21:43 from Eniwetok J. Debriefed:Protect yourself fr.rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/08 Nov 2004 08:14 from Halifax:Halifax Internet banking: URGENT .rtf Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/20 Aug 2004 10:04 from Postmaster:Undeliverable Mail.eml/[From [email protected]][Date Fri, 20 Aug 2004 11:40:15 +0200]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/20 Aug 2004 10:04 from Postmaster:Undeliverable Mail.eml/[From [email protected]][Date Fri, 20 Aug 2004 11:40:15 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/20 Aug 2004 10:04 from Postmaster:Undeliverable Mail.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst Mail MS Mail: infected - 5, suspicious - 8 skipped
D:\Documents and Settings\William Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-11e31cda.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
D:\Documents and Settings\William Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-11e31cda.zip ZIP: infected - 1 skipped
D:\Program Files\Kazaa\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.e skipped
D:\Program Files\Kazaa\PerfectNavUninstall.exe NSIS: infected - 1 skipped
D:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\Start.exe Infected: Trojan.Win32.VB.cng skipped
H:\Start.exe Infected: Trojan.Win32.VB.cng skipped
I:\Start.exe Infected: Trojan.Win32.VB.cng skipped
J:\Start.exe Infected: Trojan.Win32.VB.cng skipped

Scan process completed.

Uninstall list from HiJack This:

7-Zip 4.42
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
BBC iPlayer Download Manager
Belkin 54g USB Network Adapter
Browser Address Error Redirector
burnatonce
Dell Driver Reset Tool
Dell Support Center
DellSupport
DivX Web Player
GameSpy Arcade
GIMP 2.4.2
Google Desktop
Google Earth
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
HTML-Kit
Inkscape 0.45.1
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Kaspersky Online Scanner
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIRC
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MySQL Server 5.0
OpenOffice.org 2.3
OpenOffice.org 2.3 Language Pack (English (United Kingdom))
PowerDVD
Python 2.5 pysqlite-2.4.1
Python 2.5.1
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Samsung SCX-4100 Series
SearchAssist
SECUREMAKER (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic Activation Module
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Top Gear Screen Saver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VDMSound
VideoLAN VLC media player 0.8.6d
WampServer 2.0
Windows Communication Foundation
Windows Imaging Component
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Xvid 1.1.3 final uninstall

Sorry for the late reply, I live in the UK and it was getting too late.

Link to post
Share on other sites

Damn. After posting that, the problem has come back.

Again I have seen issue 1, 2 and 3 from the original post.

I will re-follow the steps once I can be advised on how to stop the problem happening again. Should I add spoof .exe files to where the virus keeps infecting?

When it came back, I was opening up my iPod to copy some files over to it. Could the infection somehow have got onto the iPod? (The iPod is using its native software and is in disk mode)

Link to post
Share on other sites

== Remove Programs ==

Please go to Add/Remove Programs in the Control Panel, and remove the following programs

  • Java 6 Update 3
    SearchAssist

Reboot your computer

== Combofix ==

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

D:\Start.exe

H:\Start.exe

I:\Start.exe

J:\Start.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

-Ryan

Link to post
Share on other sites

I'm afraid combofix.txt was deleted when it was dragged and dropped. I ran it again, so here is the outputed log.txt

ComboFix 08-04-08.10 - Will Barry 2008-04-09 16:47:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.641 [GMT 1:00]
Running from: C:\Documents and Settings\Will Barry\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 16:15 . 2005-11-10 14:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-04-09 11:35 . 2008-04-09 11:35 358 --a------ C:\Documents and Settings\Will Barry\services.exe
2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-09 00:03 . 2008-04-09 00:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 23:57 . 2008-04-09 00:15 <DIR> d-------- C:\SDFix
2008-04-08 22:27 . 2008-04-08 22:27 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-08 22:06 . 2008-04-08 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\Will Barry\Application Data\Malwarebytes
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Real
2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 15:15 --------- d-----w C:\Program Files\Java
2008-04-07 22:46 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\OpenOffice.org2
2008-03-28 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-23 01:49 --------- d-----w C:\Program Files\SECUREMAKER
2008-03-03 17:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-02 20:34 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-02 19:36 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\gtk-2.0
2008-02-25 19:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-25 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 19:11 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-16 20:45 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-16 20:45 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-16 20:45 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 20:48 16132608 C:\WINDOWS\RTHDCPL.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31 1840128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\Will Barry\Start Menu\Programs\Startup\
RealPlayer.exe [2008-03-30 18:34:46 0]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SECUREMAKER.lnk - C:\Program Files\SECUREMAKER\SecureMaker.exe [2008-03-05 17:57:22 3248128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"dscactivate"=c:\dell\dsca.exe 3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\My Downloads\\bgb_1.2\\bgb.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 sm;SECUREMAKER driver;C:\WINDOWS\system32\drivers\sm.sys [2007-07-05 16:10]
R2 smdefrag;Securemaker Disk Defragmenter Service;C:\Program Files\SECUREMAKER\smdefrag.exe [2008-03-05 16:46]
S3 GoogleDesktopManager-091907-194040;Google Desktop Manager 5.1.709.19590;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31]
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 01:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 00:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 16:49:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-04-09 16:50:01
ComboFix-quarantined-files.txt 2008-04-09 15:49:51
ComboFix2.txt 2008-04-09 15:32:43
ComboFix3.txt 2008-04-09 15:28:37
ComboFix4.txt 2008-04-09 15:26:20
Pre-Run: 179,488,538,624 bytes free
Post-Run: 179,476,328,448 bytes free
.
2008-04-01 23:17:51 --- E O F ---

And here is the HiJack This file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:57:42, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\SECUREMAKER\smdefrag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SECUREMAKER\SecureMaker.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RealPlayer.exe
O4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 6806 bytes

Link to post
Share on other sites

Uninstall the following program: J2SE Runtime Environment 5.0 Update 6

== Install Latest Java ==

Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.

Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.

Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.

Once it has finished downloading, double click it, and follow the prompts to install.

If it asks to reboot, select Yes.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\Documents and Settings\Will Barry\services.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

-Ryan

Link to post
Share on other sites

Here is the combofix.txt file:

ComboFix 08-04-08.10 - Will Barry 2008-04-09 17:51:35.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.582 [GMT 1:00]
Running from: C:\Documents and Settings\Will Barry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Will Barry\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\Documents and Settings\Will Barry\services.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Will Barry\services.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 17:48 . 2008-04-09 17:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-09 17:48 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-09 00:03 . 2008-04-09 00:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 23:57 . 2008-04-09 00:15 <DIR> d-------- C:\SDFix
2008-04-08 22:27 . 2008-04-08 22:27 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-08 22:06 . 2008-04-08 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\Will Barry\Application Data\Malwarebytes
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Real
2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 16:48 --------- d-----w C:\Program Files\Java
2008-04-07 22:46 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\OpenOffice.org2
2008-03-28 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-23 01:49 --------- d-----w C:\Program Files\SECUREMAKER
2008-03-03 17:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-02 20:34 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-02 19:36 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\gtk-2.0
2008-02-25 19:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-25 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 19:11 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_16.26.02.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-10 11:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 11:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 13:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-16 20:45 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-16 20:45 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-16 20:45 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 20:48 16132608 C:\WINDOWS\RTHDCPL.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31 1840128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\Will Barry\Start Menu\Programs\Startup\
RealPlayer.exe [2008-03-30 18:34:46 0]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SECUREMAKER.lnk - C:\Program Files\SECUREMAKER\SecureMaker.exe [2008-03-05 17:57:22 3248128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"dscactivate"=c:\dell\dsca.exe 3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\My Downloads\\bgb_1.2\\bgb.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 sm;SECUREMAKER driver;C:\WINDOWS\system32\drivers\sm.sys [2007-07-05 16:10]
R2 smdefrag;Securemaker Disk Defragmenter Service;C:\Program Files\SECUREMAKER\smdefrag.exe [2008-03-05 16:46]
S3 GoogleDesktopManager-091907-194040;Google Desktop Manager 5.1.709.19590;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31]
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 01:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 00:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 17:52:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-04-09 17:53:19
ComboFix-quarantined-files.txt 2008-04-09 16:53:09
ComboFix2.txt 2008-04-09 15:50:02
ComboFix3.txt 2008-04-09 15:32:43
ComboFix4.txt 2008-04-09 15:28:37
ComboFix5.txt 2008-04-09 15:26:20
Pre-Run: 179,354,836,992 bytes free
Post-Run: 179,343,519,744 bytes free
.
2008-04-01 23:17:51 --- E O F ---

Here is the new HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:55:04, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\SECUREMAKER\smdefrag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RealPlayer.exe
O4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 6885 bytes

Link to post
Share on other sites

Update MalwareBytes Anti-Malware, then run a full scan.

  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

-Ryan

Link to post
Share on other sites

Issues 1, 2 and 3 seem to be sorted now, with nothing malicious found

Malwarebytes' Anti-Malware 1.11
Database version: 604

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|M:\|)
Objects scanned: 292854
Time elapsed: 1 hour(s), 20 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Issue 4 has not occurred again - it is probably something completely separate.

There is a further issue with firefox repeatedly crashing. I will post again if this keeps happening.

I thank you for all your help; I really appreciate it

Should I add [resolved] to the title of this thread and do you want a HiJack This log?

Link to post
Share on other sites

Well in that case, I believe your log is clean :thumbsup:

For information on how to protect yourself in the future, read Infection Prevention

Do you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.

No, you don't have to add [resolved] to the title, that will be done when I close the thread.

-Ryan

Link to post
Share on other sites

The malware has come back yet again.

I don't think this is coming from the internet.

I think this is coming from my iPod since it happened when I was trying to copy some files to it again. This makes sense since I recently connected the iPod to a friend's computer. I'm guessing I got infected from there.

EDIT:

According to a Sophos report, the infection LSA Shellu, which is attempting to get into the startup list, is transmitted through removable storage devices.

I have run MBAM through the iPod and it finds no problems.

EDIT 2:

Ran MBAM through computer and found the same four files found originally.

Now I am using the iPod with computer fine. The additional (partitioned) disk drive is not connected and neither are the two SD memory cards I use. I will get around to using them, checking if the virus appears again. I will only use one at a time in order to isolate the causes.

Edited by ddeeff
Link to post
Share on other sites
  • 2 weeks later...

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.