ddeeff Posted April 8, 2008 Report Share Posted April 8, 2008 I have multiple issues, but they all probably same from the same thing.I run Ad-Aware and Spybot to check for viruses.I run Spybot and Securemaker in the background to check in real-time for virusesAdditionally, there is a firewall on the router I use.Issue 1:Both Securemaker and Spybot are flagging up attempts from "LSA Shellu" to program the startup Path. Spybot gave me the "path" asC:\Documents and Settings\Will Barry\Lsass.exe(Will Barry is me, btw)I keep rejecting these but whatever is doing it is being persistent. I went into the folder and found a suspicious exe file called "services.exe", which I promptly deleted. Still the 2 programs keep flagging-up these attempts to add the startup value.Issue 2:Securemaker has flagged up an attempt by a program to download a file from http://members.chellu.hu/. I could give the exact address if I need to, but I would have to restart my computer. The file has .png on the end of it, not .exe.Issue 3:I have a warning box|title| 16 bit MS-DOS subsystem |/title|C:\DOCUME~1\WILLBA~1\serices.exeThe NTVDM CPU has encountered an illegal instruction.CS:0710 IP011f OP:63 65 64 20 62 Choose 'close' to terminate the applicationThere are two options: "Close" and "Ignore".Issue 4:I have had blue screen of death 3 times recentlyShould I download and run HijackThis (is that the name?) and put the list here? Link to post Share on other sites
rmurphy Posted April 8, 2008 Report Share Posted April 8, 2008 Welcome to Besttechie! I'm Ryan, and I'll be helping you clean your computer.Let's do this before getting a HiJack This log, since it's what I'd probably have you do after I looked at the log.Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply, and include a HiJack This log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.-Ryan Link to post Share on other sites
ddeeff Posted April 8, 2008 Author Report Share Posted April 8, 2008 (edited) Excellent. It appears to have found what Spybot and Ad-Aware could not. Is this program better or should I use it in conjunction with the others?Malwarebytes' Anti-Malware 1.11Database version: 602Scan type: Quick ScanObjects scanned: 40442Time elapsed: 5 minute(s), 53 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:C:\Documents and Settings\Will Barry\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSA Shellu (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Will Barry\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.C:\Documents and Settings\Will Barry\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.HiJack This log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:06:38, on 08/04/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exeC:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Program Files\SECUREMAKER\smdefrag.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\SECUREMAKER\SecureMaker.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=genR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=genR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: RealPlayer.exeO4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeO23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe--End of file - 7643 bytesThank you! Edited April 8, 2008 by ddeeff Link to post Share on other sites
ddeeff Posted April 8, 2008 Author Report Share Posted April 8, 2008 Damn- the malware is back!After a restart it has come back.I'll uninstall some recently installed software and then if that fails I will create some blank exe files to fool whatever is doing it into stopping Link to post Share on other sites
rmurphy Posted April 8, 2008 Report Share Posted April 8, 2008 Download SDFix and save it to your Desktop.Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, the Advanced Options Menu should appear;Select the first option, to run Windows in Safe Mode, then press Enter.Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log-Ryan Link to post Share on other sites
ddeeff Posted April 8, 2008 Author Report Share Posted April 8, 2008 ok. Here is report.txt[b]SDFix: Version 1.167 [/b]Run by Administrator on 09/04/2008 at 00:06Microsoft Windows XP [Version 5.1.2600]Running From: C:\SDFix[b]Checking Services [/b]:Restoring Windows Registry ValuesRestoring Windows Default Hosts FileRebooting[b]Checking Files [/b]: No Trojan Files FoundRemoving Temp Files[b]ADS Check [/b]: [b]Final Check [/b]:catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-09 00:12:15Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...scanning hidden registry entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 275[b]Remaining Services [/b]:Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger""C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)""C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent""C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes""C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"="C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe:*:Enabled:Apache HTTP Server""C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo""C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"="C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe:*:Enabled:Apache HTTP Server""C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox""C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service""C:\\My Downloads\\bgb_1.2\\bgb.exe"="C:\\My Downloads\\bgb_1.2\\bgb.exe:*:Enabled:bgb""J:\\Program Files\\mIRC\\mirc.exe"="J:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC""C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player""C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger""C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"[b]Remaining Files [/b]:File Backups: - C:\SDFix\backups\backups.zip[b]Files with Hidden Attributes [/b]:Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"Tue 13 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT1D.tmp"Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT1E.tmp"Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\Will Barry\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"[b]Finished![/b]After this came up, spybot prompted me to accept the deletion of "LSA Shellu" from the startup list. I of course accepted.Then I ran HiJack This.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 00:22:29, on 09/04/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exeC:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Program Files\SECUREMAKER\smdefrag.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\SECUREMAKER\SecureMaker.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=genR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=genR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: RealPlayer.exeO4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeO23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe--End of file - 7329 bytesThanks again. Should I restart now to check that it has worked? Link to post Share on other sites
rmurphy Posted April 9, 2008 Report Share Posted April 9, 2008 Yes, restart, then do the following:== Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.== Clear System Restore==Let's make a new restore point and clear the others:Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point. Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScannerYou will need to use Internet Explorer to do thisClick on AcceptYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.== Request Logs ==Please post the log from the Kaspersky scan, along with an uninstall listTo obtain an Uninstall list.Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryan Link to post Share on other sites
ddeeff Posted April 9, 2008 Author Report Share Posted April 9, 2008 Here is the Kaspersky log:------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, April 09, 2008 10:08:42 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 9/04/2008 Kaspersky Anti-Virus database records: 691309-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ M:\Scan Statistics: Total number of scanned objects: 249857 Number of viruses found: 11 Number of infected objects: 22 Number of suspicious objects: 8 Duration of the scan process: 01:50:23Infected Object Name / Virus Name / Last ActionC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skippedC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skippedC:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\Will Barry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.42160 Infected: Trojan.Win32.VB.cng skippedC:\Documents and Settings\Will Barry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.53486 Infected: Trojan.Win32.VB.cng skippedC:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\cert8.db Object is locked skippedC:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\history.dat Object is locked skippedC:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\key3.db Object is locked skippedC:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\parent.lock Object is locked skippedC:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\search.sqlite Object is locked skippedC:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\tidy\spvalid.err Object is locked skippedC:\Documents and Settings\Will Barry\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\urlclassifier2.sqlite Object is locked skippedC:\Documents and Settings\Will Barry\Cookies\index.dat Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbc2e.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbdam Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbdao Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbeam Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbeao Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbm Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbu2d.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbvm.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\dbvmh.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\fii.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\fiih.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\hp Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\hpt2i.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpm.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpm1m.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpm1mh.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\rpmh.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-enchashm.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-enchashmh.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-urlm.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-black-urlmh.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-malware-domainm.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-malware-domainmh.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-white-domainm.cf1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Google\Google Desktop\8f80fc0d2949\safeweb\goog-white-domainmh.ht1 Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_001_ Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_002_ Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_003_ Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\Cache\_CACHE_MAP_ Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Application Data\Mozilla\Firefox\Profiles\i28eqtow.default\XUL.mfl Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Temp\~DFC3AA.tmp Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Temp\~DFED6D.tmp Object is locked skippedC:\Documents and Settings\Will Barry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\Will Barry\NTUSER.DAT Object is locked skippedC:\Documents and Settings\Will Barry\ntuser.dat.LOG Object is locked skippedC:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skippedC:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skippedC:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skippedC:\Program Files\MySQL\MySQL Server 5.0\data\WillsComputer.err Object is locked skippedC:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedC:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP139\change.log Object is locked skippedC:\WINDOWS\Debug\PASSWD.LOG Object is locked skippedC:\WINDOWS\SchedLgU.Txt Object is locked skippedC:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\edb.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skippedC:\WINDOWS\system32\config\AppEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\DEFAULT Object is locked skippedC:\WINDOWS\system32\config\default.LOG Object is locked skippedC:\WINDOWS\system32\config\SAM Object is locked skippedC:\WINDOWS\system32\config\SAM.LOG Object is locked skippedC:\WINDOWS\system32\config\SecEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\SECURITY Object is locked skippedC:\WINDOWS\system32\config\SECURITY.LOG Object is locked skippedC:\WINDOWS\system32\config\SOFTWARE Object is locked skippedC:\WINDOWS\system32\config\software.LOG Object is locked skippedC:\WINDOWS\system32\config\SysEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\SYSTEM Object is locked skippedC:\WINDOWS\system32\config\system.LOG Object is locked skippedC:\WINDOWS\system32\h323log.txt Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skippedC:\WINDOWS\WindowsUpdate.log Object is locked skippedD:\Documents and Settings\John System\Local Settings\Temp\__unin__.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/02 Dec 2004 08:51 from Barclays IBank:Barclays IBank info [Thu, .rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/25 Nov 2004 16:14 from Halifax:Halifax Internet banking Informs .rtf Infected: Trojan-Spy.HTML.Bankfraud.hs skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/23 Nov 2004 09:28 from Lloyds TSB:! Lloyds TSB updates [Tue, 23 .rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/19 Nov 2004 11:07 from [email protected]:FwD: Oh God it's/oh_nono.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/19 Nov 2004 11:07 from [email protected]:FwD: Oh God it's/oh_nono.zip Infected: Email-Worm.Win32.Sober.i skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/17 Nov 2004 08:23 from Natwest:Attention all Natwest Bank users!.rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/15 Nov 2004 07:42 from Barclays IBank:!0fficiaI Notice for aII B.rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/12 Nov 2004 09:44 from Washington Mutual:Official Information To.rtf Infected: Trojan-Spy.HTML.Bankfraud.w skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/09 Nov 2004 21:43 from Eniwetok J. Debriefed:Protect yourself fr.rtf Suspicious: Trojan-Spy.HTML.Fraud.gen skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/08 Nov 2004 08:14 from Halifax:Halifax Internet banking: URGENT .rtf Infected: Trojan-Spy.HTML.Bankfraud.hs skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/20 Aug 2004 10:04 from Postmaster:Undeliverable Mail.eml/[From [email protected]][Date Fri, 20 Aug 2004 11:40:15 +0200]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/20 Aug 2004 10:04 from Postmaster:Undeliverable Mail.eml/[From [email protected]][Date Fri, 20 Aug 2004 11:40:15 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst/Archive Folders/Deleted Items/20 Aug 2004 10:04 from Postmaster:Undeliverable Mail.eml Suspicious: Exploit.HTML.Iframe.FileDownload skippedD:\Documents and Settings\John System\Local Settings\Application Data\Microsoft\Outlook\archive1.pst Mail MS Mail: infected - 5, suspicious - 8 skippedD:\Documents and Settings\William Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-11e31cda.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skippedD:\Documents and Settings\William Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-11e31cda.zip ZIP: infected - 1 skippedD:\Program Files\Kazaa\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.e skippedD:\Program Files\Kazaa\PerfectNavUninstall.exe NSIS: infected - 1 skippedD:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skippedD:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skippedD:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skippedD:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skippedD:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skippedD:\Start.exe Infected: Trojan.Win32.VB.cng skippedH:\Start.exe Infected: Trojan.Win32.VB.cng skippedI:\Start.exe Infected: Trojan.Win32.VB.cng skippedJ:\Start.exe Infected: Trojan.Win32.VB.cng skippedScan process completed.Uninstall list from HiJack This:7-Zip 4.42Ad-Aware 2007Adobe Flash Player 9 ActiveXAdobe Flash Player PluginAdobe Reader 8.1.2Adobe Shockwave PlayerBBC iPlayer Download ManagerBelkin 54g USB Network AdapterBrowser Address Error RedirectorburnatonceDell Driver Reset ToolDell Support CenterDellSupportDivX Web PlayerGameSpy ArcadeGIMP 2.4.2Google DesktopGoogle EarthHigh Definition Audio Driver Package - KB835221HijackThis 2.0.2Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Format SDK (KB902344)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB896344)Hotfix for Windows XP (KB926239)HTML-KitInkscape 0.45.1Intel(R) Graphics Media Accelerator DriverIntel(R) PRO Network Connections DriversiTunesJ2SE Runtime Environment 5.0 Update 6Java(TM) 6 Update 3Kaspersky Online ScannerMalwarebytes' Anti-MalwareMcAfee SecurityCenterMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB928366)Microsoft .NET Framework 2.0Microsoft .NET Framework 3.0Microsoft .NET Framework 3.0Microsoft Base Smart Card Cryptographic Service Provider PackageMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft HaloMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft WorksmIRCMozilla Firefox (2.0.0.13)MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 Parser and SDKMSXML 6.0 Parser (KB933579)MySQL Server 5.0OpenOffice.org 2.3OpenOffice.org 2.3 Language Pack (English (United Kingdom))PowerDVDPython 2.5 pysqlite-2.4.1Python 2.5.1QuickTimeRealPlayerRealtek High Definition Audio DriverRoxio Creator AudioRoxio Creator BDAV PluginRoxio Creator CopyRoxio Creator DataRoxio Creator DERoxio Creator ToolsRoxio Drag-to-DiscRoxio Express LabelerRoxio MyDVD DERoxio Update ManagerSamsung SCX-4100 SeriesSearchAssistSECUREMAKER (remove only)Security Update for Microsoft .NET Framework 2.0 (KB928365)Security Update for Step By Step Interactive Training (KB923723)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 9 (KB936782)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB921503)Security Update for Windows XP (KB922819)Security Update for Windows XP (KB927779)Security Update for Windows XP (KB931784)Security Update for Windows XP (KB933729)Security Update for Windows XP (KB936021)Security Update for Windows XP (KB937143)Security Update for Windows XP (KB937894)Security Update for Windows XP (KB938127)Security Update for Windows XP (KB938829)Security Update for Windows XP (KB939653)Security Update for Windows XP (KB941202)Security Update for Windows XP (KB941568)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB941644)Security Update for Windows XP (KB942615)Security Update for Windows XP (KB943055)Security Update for Windows XP (KB943460)Security Update for Windows XP (KB943485)Security Update for Windows XP (KB944533)Security Update for Windows XP (KB944653)Security Update for Windows XP (KB946026)Sonic Activation ModuleSpybot - Search & DestroySpybot - Search & Destroy 1.5.2.20Top Gear Screen SaverUpdate for Windows XP (KB894391)Update for Windows XP (KB898461)Update for Windows XP (KB900485)Update for Windows XP (KB904942)Update for Windows XP (KB910437)Update for Windows XP (KB911280)Update for Windows XP (KB916595)Update for Windows XP (KB920342)Update for Windows XP (KB920872)Update for Windows XP (KB922582)Update for Windows XP (KB925720)Update for Windows XP (KB925876)Update for Windows XP (KB927891)Update for Windows XP (KB930916)Update for Windows XP (KB933360)Update for Windows XP (KB936357)Update for Windows XP (KB938828)Update for Windows XP (KB942763)Update for Windows XP (KB942840)Update for Windows XP (KB946627)VDMSoundVideoLAN VLC media player 0.8.6dWampServer 2.0Windows Communication FoundationWindows Imaging ComponentWindows Live MessengerWindows Live Sign-in AssistantWindows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Player 11Windows Media Player 11Windows Presentation FoundationWindows Workflow FoundationWindows XP Hotfix - KB885836Windows XP Hotfix - KB886185Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Xvid 1.1.3 final uninstallSorry for the late reply, I live in the UK and it was getting too late. Link to post Share on other sites
ddeeff Posted April 9, 2008 Author Report Share Posted April 9, 2008 Damn. After posting that, the problem has come back.Again I have seen issue 1, 2 and 3 from the original post.I will re-follow the steps once I can be advised on how to stop the problem happening again. Should I add spoof .exe files to where the virus keeps infecting?When it came back, I was opening up my iPod to copy some files over to it. Could the infection somehow have got onto the iPod? (The iPod is using its native software and is in disk mode) Link to post Share on other sites
rmurphy Posted April 9, 2008 Report Share Posted April 9, 2008 == Remove Programs ==Please go to Add/Remove Programs in the Control Panel, and remove the following programsJava 6 Update 3SearchAssistReboot your computer== Combofix ==Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.-----------------------------------------------------------1. Please open Notepad Click Start , then RunType notepad.exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::D:\Start.exeH:\Start.exeI:\Start.exeJ:\Start.exe3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.-Ryan Link to post Share on other sites
ddeeff Posted April 9, 2008 Author Report Share Posted April 9, 2008 I'm afraid combofix.txt was deleted when it was dragged and dropped. I ran it again, so here is the outputed log.txtComboFix 08-04-08.10 - Will Barry 2008-04-09 16:47:53.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.641 [GMT 1:00]Running from: C:\Documents and Settings\Will Barry\Desktop\ComboFix.exe[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color].((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 ))))))))))))))))))))))))))))))).2008-04-09 16:15 . 2005-11-10 14:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl2008-04-09 11:35 . 2008-04-09 11:35 358 --a------ C:\Documents and Settings\Will Barry\services.exe2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab2008-04-09 00:03 . 2008-04-09 00:03 <DIR> d-------- C:\WINDOWS\ERUNT2008-04-08 23:57 . 2008-04-09 00:15 <DIR> d-------- C:\SDFix2008-04-08 22:27 . 2008-04-08 22:27 <DIR> d--h----- C:\WINDOWS\PIF2008-04-08 22:06 . 2008-04-08 22:06 <DIR> d-------- C:\Program Files\Trend Micro2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\Will Barry\Application Data\Malwarebytes2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Real2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\xing shared2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\Real.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-04-09 15:15 --------- d-----w C:\Program Files\Java2008-04-07 22:46 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\OpenOffice.org22008-03-28 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki2008-03-23 01:49 --------- d-----w C:\Program Files\SECUREMAKER2008-03-03 17:24 --------- d-----w C:\Program Files\Common Files\Adobe2008-03-02 20:34 --------- d-----w C:\Program Files\OpenOffice.org 2.32008-03-02 19:36 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\gtk-2.02008-02-25 19:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy2008-02-25 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-02-25 19:11 691,545 ----a-w C:\WINDOWS\unins000.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-16 20:45 142104]"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-16 20:45 162584]"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-16 20:45 138008]"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 20:48 16132608 C:\WINDOWS\RTHDCPL.EXE]"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31 1840128][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]C:\Documents and Settings\Will Barry\Start Menu\Programs\Startup\RealPlayer.exe [2008-03-30 18:34:46 0]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SECUREMAKER.lnk - C:\Program Files\SECUREMAKER\SecureMaker.exe [2008-03-05 17:57:22 3248128][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe""RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe""RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe""PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe""QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime"dscactivate"=c:\dell\dsca.exe 3[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Kontiki\\KService.exe"="C:\\My Downloads\\bgb_1.2\\bgb.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]R2 sm;SECUREMAKER driver;C:\WINDOWS\system32\drivers\sm.sys [2007-07-05 16:10]R2 smdefrag;Securemaker Disk Defragmenter Service;C:\Program Files\SECUREMAKER\smdefrag.exe [2008-03-05 16:46]S3 GoogleDesktopManager-091907-194040;Google Desktop Manager 5.1.709.19590;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31]S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice []S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld [].Contents of the 'Scheduled Tasks' folder"2008-03-15 01:00:00 C:\WINDOWS\Tasks\McDefragTask.job"- c:\program files\mcafee\mqc\QcConsol.exe'"2008-04-01 00:00:00 C:\WINDOWS\Tasks\McQcTask.job"- c:\program files\mcafee\mqc\QcConsol.exe.**************************************************************************catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-09 16:49:41Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL".Completion time: 2008-04-09 16:50:01ComboFix-quarantined-files.txt 2008-04-09 15:49:51ComboFix2.txt 2008-04-09 15:32:43ComboFix3.txt 2008-04-09 15:28:37ComboFix4.txt 2008-04-09 15:26:20Pre-Run: 179,488,538,624 bytes freePost-Run: 179,476,328,448 bytes free.2008-04-01 23:17:51 --- E O F ---And here is the HiJack This file:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:57:42, on 09/04/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exeC:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Program Files\SECUREMAKER\smdefrag.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\SECUREMAKER\SecureMaker.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=genR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: RealPlayer.exeO4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeO23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe--End of file - 6806 bytes Link to post Share on other sites
rmurphy Posted April 9, 2008 Report Share Posted April 9, 2008 Uninstall the following program: J2SE Runtime Environment 5.0 Update 6== Install Latest Java ==Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.Once it has finished downloading, double click it, and follow the prompts to install.If it asks to reboot, select Yes.1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::C:\Documents and Settings\Will Barry\services.exe3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.-Ryan Link to post Share on other sites
ddeeff Posted April 9, 2008 Author Report Share Posted April 9, 2008 Here is the combofix.txt file:ComboFix 08-04-08.10 - Will Barry 2008-04-09 17:51:35.5 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.582 [GMT 1:00]Running from: C:\Documents and Settings\Will Barry\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\Will Barry\Desktop\CFScript.txt * Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]FILE ::C:\Documents and Settings\Will Barry\services.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\Will Barry\services.exe.((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 ))))))))))))))))))))))))))))))).2008-04-09 17:48 . 2008-04-09 17:48 <DIR> d-------- C:\Program Files\Common Files\Java2008-04-09 17:48 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab2008-04-09 02:46 . 2008-04-09 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab2008-04-09 00:03 . 2008-04-09 00:03 <DIR> d-------- C:\WINDOWS\ERUNT2008-04-08 23:57 . 2008-04-09 00:15 <DIR> d-------- C:\SDFix2008-04-08 22:27 . 2008-04-08 22:27 <DIR> d--h----- C:\WINDOWS\PIF2008-04-08 22:06 . 2008-04-08 22:06 <DIR> d-------- C:\Program Files\Trend Micro2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\Will Barry\Application Data\Malwarebytes2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Real2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\xing shared2008-03-30 17:44 . 2008-03-30 17:44 <DIR> d-------- C:\Program Files\Common Files\Real.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-04-09 16:48 --------- d-----w C:\Program Files\Java2008-04-07 22:46 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\OpenOffice.org22008-03-28 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki2008-03-23 01:49 --------- d-----w C:\Program Files\SECUREMAKER2008-03-03 17:24 --------- d-----w C:\Program Files\Common Files\Adobe2008-03-02 20:34 --------- d-----w C:\Program Files\OpenOffice.org 2.32008-03-02 19:36 --------- d-----w C:\Documents and Settings\Will Barry\Application Data\gtk-2.02008-02-25 19:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy2008-02-25 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-02-25 19:11 691,545 ----a-w C:\WINDOWS\unins000.exe.((((((((((((((((((((((((((((( snapshot@2008-04-09_16.26.02.73 ))))))))))))))))))))))))))))))))))))))))).- 2005-11-10 11:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe+ 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe- 2005-11-10 11:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe+ 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe- 2005-11-10 13:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe+ 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-16 20:45 142104]"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-16 20:45 162584]"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-16 20:45 138008]"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 20:48 16132608 C:\WINDOWS\RTHDCPL.EXE]"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31 1840128]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]C:\Documents and Settings\Will Barry\Start Menu\Programs\Startup\RealPlayer.exe [2008-03-30 18:34:46 0]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SECUREMAKER.lnk - C:\Program Files\SECUREMAKER\SecureMaker.exe [2008-03-05 17:57:22 3248128][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe""RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe""RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe""PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe""QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime"dscactivate"=c:\dell\dsca.exe 3[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Kontiki\\KService.exe"="C:\\My Downloads\\bgb_1.2\\bgb.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]R2 sm;SECUREMAKER driver;C:\WINDOWS\system32\drivers\sm.sys [2007-07-05 16:10]R2 smdefrag;Securemaker Disk Defragmenter Service;C:\Program Files\SECUREMAKER\smdefrag.exe [2008-03-05 16:46]S3 GoogleDesktopManager-091907-194040;Google Desktop Manager 5.1.709.19590;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 15:31]S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice []S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld [].Contents of the 'Scheduled Tasks' folder"2008-03-15 01:00:00 C:\WINDOWS\Tasks\McDefragTask.job"- c:\program files\mcafee\mqc\QcConsol.exe'"2008-04-01 00:00:00 C:\WINDOWS\Tasks\McQcTask.job"- c:\program files\mcafee\mqc\QcConsol.exe.**************************************************************************catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-09 17:52:57Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL".Completion time: 2008-04-09 17:53:19ComboFix-quarantined-files.txt 2008-04-09 16:53:09ComboFix2.txt 2008-04-09 15:50:02ComboFix3.txt 2008-04-09 15:32:43ComboFix4.txt 2008-04-09 15:28:37ComboFix5.txt 2008-04-09 15:26:20Pre-Run: 179,354,836,992 bytes freePost-Run: 179,343,519,744 bytes free.2008-04-01 23:17:51 --- E O F ---Here is the new HiJack This log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:55:04, on 09/04/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exeC:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Program Files\SECUREMAKER\smdefrag.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\msiexec.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crashie.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=genR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1071107O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: RealPlayer.exeO4 - Global Startup: SECUREMAKER.lnk = C:\Program Files\SECUREMAKER\SecureMaker.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194729982453O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194738060906O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeO23 - Service: Securemaker Disk Defragmenter Service (smdefrag) - Unknown owner - C:\Program Files\SECUREMAKER\smdefrag.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe--End of file - 6885 bytes Link to post Share on other sites
rmurphy Posted April 9, 2008 Report Share Posted April 9, 2008 Update MalwareBytes Anti-Malware, then run a full scan. The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.-Ryan Link to post Share on other sites
ddeeff Posted April 10, 2008 Author Report Share Posted April 10, 2008 Issues 1, 2 and 3 seem to be sorted now, with nothing malicious foundMalwarebytes' Anti-Malware 1.11Database version: 604Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|M:\|)Objects scanned: 292854Time elapsed: 1 hour(s), 20 minute(s), 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Issue 4 has not occurred again - it is probably something completely separate.There is a further issue with firefox repeatedly crashing. I will post again if this keeps happening.I thank you for all your help; I really appreciate itShould I add [resolved] to the title of this thread and do you want a HiJack This log? Link to post Share on other sites
rmurphy Posted April 10, 2008 Report Share Posted April 10, 2008 Well in that case, I believe your log is clean For information on how to protect yourself in the future, read Infection PreventionDo you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.No, you don't have to add [resolved] to the title, that will be done when I close the thread.-Ryan Link to post Share on other sites
ddeeff Posted April 10, 2008 Author Report Share Posted April 10, 2008 (edited) The malware has come back yet again.I don't think this is coming from the internet.I think this is coming from my iPod since it happened when I was trying to copy some files to it again. This makes sense since I recently connected the iPod to a friend's computer. I'm guessing I got infected from there.EDIT:According to a Sophos report, the infection LSA Shellu, which is attempting to get into the startup list, is transmitted through removable storage devices.I have run MBAM through the iPod and it finds no problems.EDIT 2:Ran MBAM through computer and found the same four files found originally.Now I am using the iPod with computer fine. The additional (partitioned) disk drive is not connected and neither are the two SD memory cards I use. I will get around to using them, checking if the virus appears again. I will only use one at a time in order to isolate the causes. Edited April 11, 2008 by ddeeff Link to post Share on other sites
rmurphy Posted April 21, 2008 Report Share Posted April 21, 2008 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts