|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-22-2007, 02:38 AM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Zedo infection, numerous pop-ups, slow system
TSF geniuses please help. My pc has been reduced to a glorified "coaster" status.
Ok, it's not quite that bad, but it's at a point where I do feel the security of my system and thusly my personal info has been jeopardized and I need your help and will gladly pony-up with a donation to acknowledge and say thanks for services rendered. Somehow a couple Thursday evenings ago (8/9/07), I ended up with an infection that has resulted in numerous pop-ups(usually "Powered by Zedo" and “OuterInfo”) and also an inability to restore my system to a point prior to the infection. The primary issue I'm having seems to be very similar to this one here: http://www.techsupportforum.com/security-center/hijackthis-log-help/resolved-hjt-threads/96429-c5-zedo-com-popup-ad.html Summary of issues: -Zedo pop-ups -Trojan Z.quest infection will be temporarily vanquished but returns after reboot -System Restore won't execute for any date prior to date of infection -Several .tmp files that can’t be deleted and continually surface when running Registry Mechanic -Trojan-Clicker.Small.JF I've thrown the following at it: Ad-Aware se1.06 Ad-Aware 2007 AVG 7.5 Spyware Doctor by PC Tools Registry Mechanic by PC Tools Privacy Guardian by PC Tools Spybot S&D BitDefender ScanSpyware v3.8 RegistryBooster2 by Uniblue Netflix.com (kidding) (I don't believe that any of the above tools are on Spyware Warrior's Rogue list.) Step 1: Uninstall Malware.................................................CHECK Step 2: Run an Online scan (with Panda ActiveScan).............CHECK (Panda log below) Step 3: Installing Immediate Protection...............................CHECK Step 4: Update your Operating System...............................CHECK (however I should add that SP2 for Windows XP was installed well before my infection) Step 5: Preparing to Post your Log / DSS instructions............CHECK PANDA LOG: Incident Status Location Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Phil Ross\Cookies\phil_ross@2o7[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Phil Ross\Cookies\phil_ross@advertising[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Phil Ross\Cookies\phil_ross@doubleclick[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Phil Ross\Cookies\phil_ross@fastclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Phil Ross\Cookies\phil_ross@mediaplex[1].txt HJT LOG: Deckard's System Scanner v20070819.64 Run by Phil Ross on 2007-08-22 00:56:55 Computer is in Normal Mode. -------------------------------------------------------------------------------- System Drive C: has 4.52 GiB (less than 15%) free. -- HijackThis (run as Phil Ross.exe) ------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:56:59 AM, on 8/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\jmfmfybA.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Documents and Settings\Phil Ross\Desktop\Deckard's System Scanner.exe C:\DOCUME~1\PHILRO~1\Desktop\HIJACK~1\PHILRO~1.EXE C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://money.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: 0 - {41195973-3DAA-437D-AA93-CCF50F95EAA2} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: 0 - {695074C9-13FF-4574-D88A-706F5F32D27F} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: 0 - {8E33FCB6-5F31-4578-AF9B-7D3F85BC8E62} - (no file) O2 - BHO: 0 - {A2B96126-7639-4F86-DA8E-092A5065E148} - (no file) O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: 0 - {AB975708-4513-416E-AA8F-37CDDCC251F2} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [jmfmfybA] C:\WINDOWS\jmfmfybA.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/C...ataManager.CAB O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C0A02239-0FE8-4154-BC2A-E4FF540FAA27}: NameServer = 216.228.160.5,216.228.160.36 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: opnkljj - C:\WINDOWS\ O20 - Winlogon Notify: pmnkk - C:\WINDOWS\ O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- Files created between 2007-07-22 and 2007-08-22 ----------------------------- 2007-08-22 00:14:33 0 d-------- C:\ie-spyad_zo 2007-08-22 00:14:18 315590 --a------ C:\Program Files\ie-spyad_zo.exe 2007-08-21 23:56:47 0 d-------- C:\Program Files\SpywareBlaster 2007-08-21 21:18:45 0 d-------- C:\WINDOWS\LastGood 2007-08-21 19:24:27 0 dr-h----- C:\Documents and Settings\Phil Ross\Recent 2007-08-17 03:46:36 0 d-------- C:\VundoFix Backups 2007-08-14 03:53:54 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-08-14 02:31:39 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Grisoft 2007-08-14 02:30:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-08-14 01:35:04 1156 --a------ C:\WINDOWS\mozver.dat 2007-08-14 01:25:25 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Talkback 2007-08-14 01:18:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Mozilla 2007-08-14 01:14:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2007-08-12 15:58:04 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\System Tweaker 2007-08-12 15:41:52 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Uniblue 2007-08-12 15:41:43 0 d-------- C:\Program Files\Uniblue 2007-08-11 14:13:12 0 d-------- C:\Program Files\ScanSpyware v3.8 2007-08-11 12:48:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2007-08-11 12:48:19 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2007-08-11 12:48:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2007-08-11 12:48:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2007-08-11 12:48:19 0 dr------- C:\Documents and Settings\Administrator\My Documents 2007-08-11 12:48:19 0 d-------- C:\Documents and Settings\Administrator\Desktop 2007-08-11 12:48:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2007-08-11 12:48:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun 2007-08-11 12:48:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities 2007-08-11 12:48:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer 2007-08-11 12:34:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic 2007-08-11 12:34:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2007-08-11 12:34:21 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2007-08-11 12:34:21 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2007-08-11 12:34:21 0 dr------- C:\Documents and Settings\Administrator\Favorites 2007-08-11 12:34:21 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2007-08-11 12:34:20 0 d--h----- C:\Documents and Settings\Administrator\Templates 2007-08-11 12:34:19 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2007-08-11 04:20:07 0 d-------- C:\WINDOWS\BDOSCAN8 2007-08-11 03:32:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google 2007-08-11 03:32:17 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-08-11 01:22:34 0 d-------- C:\Program Files\Lavasoft 2007-08-11 01:22:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-08-11 01:21:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-10 02:14:50 0 d--hs---- C:\WA6P 2007-08-10 02:09:05 1126352 -r-hs---- C:\WINDOWS\jmfmfybA.exe <Not Verified; System Service; System Monitor Service> 2007-08-10 02:08:57 0 d-------- C:\WINDOWS\system32\X2 2007-08-10 02:08:57 0 d-------- C:\WINDOWS\system32\win 2007-08-10 02:08:57 0 d-------- C:\WINDOWS\system32\configs 2007-08-10 02:08:57 0 d-------- C:\WINDOWS\system32\B1 2007-08-10 02:08:57 0 d-------- C:\WINDOWS\system32\A1 2007-08-10 02:08:55 0 d-------- C:\Program Files\Common Files\?racle 2007-08-10 02:08:46 0 d-------- C:\WINDOWS\system32\f02WtR 2007-08-10 02:08:46 0 d-------- C:\Temp 2007-08-07 19:43:47 0 d-------- C:\Program Files\Intel 2007-08-07 19:10:11 0 d-------- C:\WINDOWS\Drivers 2007-08-07 19:08:56 0 d-------- C:\WINDOWS\OPTIONS 2007-08-07 19:08:34 0 d-------- C:\Program Files\CONEXANT 2007-08-03 09:35:41 0 d-------- C:\Program Files\iPod 2007-08-03 09:35:25 0 d-------- C:\Program Files\iTunes 2007-08-03 09:33:21 0 d-------- C:\Program Files\Common Files\Apple -- Find3M Report --------------------------------------------------------------- 2007-08-21 22:15:42 0 d-------- C:\Program Files\MSN Messenger 2007-08-21 22:03:26 0 d-------- C:\Program Files\Google 2007-08-21 22:03:19 0 d-------- C:\Program Files\ESPNRunTime 2007-08-21 19:24:14 0 d-------- C:\Program Files\Privacy Guardian 2007-08-21 19:12:31 0 d-------- C:\Program Files\Spyware Doctor 2007-08-15 23:01:40 0 d-a------ C:\Program Files\Common Files 2007-08-14 01:25:03 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Mozilla 2007-08-14 01:22:14 0 d-------- C:\Program Files\Common Files\Real 2007-08-14 01:21:34 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Real 2007-08-11 01:05:57 0 d-------- C:\Program Files\Common Files\Adobe 2007-08-11 00:59:57 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Macromedia 2007-08-10 21:56:23 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Lavasoft 2007-08-10 02:22:23 0 d-------- C:\Program Files\Common Files\?racle 2007-08-08 21:26:33 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Sonic 2007-08-07 21:00:35 0 d-------- C:\Program Files\The Weather Channel FW 2007-08-07 19:42:43 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-08-07 19:42:22 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-07 19:41:25 0 d-------- C:\Program Files\Java 2007-08-07 19:12:18 0 d-------- C:\Program Files\HPQ 2007-08-03 09:34:21 0 d-------- C:\Program Files\Apple Software Update 2007-07-22 23:29:02 0 d-------- C:\Documents and Settings\Phil Ross\Application Data\Adobe 2007-07-12 22:36:41 0 d-------- C:\Program Files\QuickTime 2007-06-27 22:12:21 0 d-------- C:\Program Files\PokerPages Software -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41195973-3DAA-437D-AA93-CCF50F95EAA2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{695074C9-13FF-4574-D88A-706F5F32D27F}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E33FCB6-5F31-4578-AF9B-7D3F85BC8E62}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2B96126-7639-4F86-DA8E-092A5065E148}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB975708-4513-416E-AA8F-37CDDCC251F2}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/30/2003 01:33 AM] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 03:54 PM] "HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [05/22/2003 07:55 PM] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [04/30/2004 10:32 AM] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [07/30/2004 08:33 AM] "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [05/19/2005 01:55 PM] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/26/2004 10:15 AM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/31/2007 06:44 PM] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05/26/2004 10:15 AM] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/30/2003 01:46 AM] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [08/07/2007 07:41 PM] "jmfmfybA"="C:\WINDOWS\jmfmfybA.exe" [12/12/1989 10:10 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 01:54 PM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 AM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/14/2007 01:15 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "PrivacyGuardianIndex"=C:\Program Files\Privacy Guardian\PgIndex.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [8/14/2007 1:14:58 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLowDiskSpaceChecks"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkljj] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkk] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] -- End of Deckard's System Scanner: finished at 2007-08-22 00:57:29 ------------ BitDefender Scan Report BitDefender Online Scanner Scan report generated at: Mon, Aug 20, 2007 - 10:31:41 Scan path: C:\;D:\; Statistics Time 01:12:33 Files 276506 Folders 7323 Boot Sectors 2 Archives 9165 Packed Files 22760 Results Identified Viruses 2 Infected Files 2 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 2 Engines Info Virus Definitions 749305 Engine build AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22) Scan plugins 14 Archive plugins 37 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\Phil Ross\Local Settings\Temporary Internet Files\Content.IE5\IQDNAGNE\goo[1].htm Infected with: Exploit.HTML.Ascii.A C:\Documents and Settings\Phil Ross\Local Settings\Temporary Internet Files\Content.IE5\IQDNAGNE\goo[1].htm Disinfection failed C:\Documents and Settings\Phil Ross\Local Settings\Temporary Internet Files\Content.IE5\IQDNAGNE\goo[1].htm Deleted C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP801\A0066969.exe Detected with: Adware.TTC.B C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP801\A0066969.exe Disinfection failed C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP801\A0066969.exe Deleted Last edited by Drum_Phil; 08-22-2007 at 02:54 AM. Reason: Adding BitDefender scan info |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-23-2007, 11:45 AM
|
#2 (permalink) |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Re: Zedo infection, numerous pop-ups, slow system
Last night the scan results of Spyware Doctor yielded:
Trojan-Downloader.VB.AWJ Bottom line is that this infection is your run-of-the-mill elusive, constantly renaming itself, pain-in-the-backside type. I know you folks are busy, so I'll be ready when you are. Thanks! |
|
|
|
|
08-25-2007, 12:30 PM
|
#4 (permalink) |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Re: Zedo infection, numerous pop-ups, slow system
Kaspersky Scan
KASPERSKY ONLINE SCANNER REPORT Saturday, August 25, 2007 10:36:46 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 25/08/2007 Kaspersky Anti-Virus database records: 389769 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ Scan Statistics Total number of scanned objects 61543 Number of viruses found 1 Number of infected objects 1 Number of suspicious objects 0 Duration of the scan process 01:44:41 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\muvee Technologies\030410\0102\0102\values Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Phil Ross\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\History\History.IE5\MSHist012007082520070826\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temp\~DF917D.tmp Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temp\~DF918A.tmp Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temp\~DFCBA0.tmp Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Phil Ross\ntuser.dat.LOG Object is locked skipped C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP811\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\jmfmfybA.exe Infected: Trojan-Downloader.Win32.VB.ang skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{91ABD34E-0B70-46D6-AFCA-9C88C0D65237}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
08-25-2007, 11:01 PM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Re: Zedo infection, numerous pop-ups, slow system
ComboFix Log
*****As info, the very first thing that occurred after reboot was a c5.zedo.com pop-up.***** ComboFix 07-08-26 - "Phil Ross" 2007-08-25 21:28:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479 [GMT -7:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\PHILRO~1\MYDOCU~1\crosof~1.net C:\Program Files\Common Files\racle~1 C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\WA6P C:\WINDOWS\system32\A1 C:\WINDOWS\system32\B1 C:\WINDOWS\system32\configs C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\win C:\WINDOWS\system32\X2 ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NET_AGENT -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS ((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 ))))))))))))))))))))))))))))))) 2007-08-25 21:27 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-25 02:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-08-25 02:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-08-22 00:36 <DIR> d-------- C:\Deckard 2007-08-22 00:14 315,590 --a------ C:\Program Files\ie-spyad_zo.exe 2007-08-22 00:14 <DIR> d-------- C:\ie-spyad_zo 2007-08-21 23:56 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-21 23:55 2,566,736 --a------ C:\Program Files\spywareblastersetup351.exe 2007-08-21 21:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp 2007-08-19 18:15 14,920,632 --a------ C:\Program Files\sdsetup.exe 2007-08-17 03:46 <DIR> d-------- C:\VundoFix Backups 2007-08-15 02:43 11,776 --a------ C:\WINDOWS\system32\regsvr32.exe 2007-08-15 02:43 11,776 --a------ C:\WINDOWS\system32\dllcache\regsvr32.exe 2007-08-14 03:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-14 02:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-08-14 02:28 12,413,440 --a------ C:\Program Files\Ewido (avgas-setup-7.5.1.43).exe 2007-08-14 01:35 1,156 --a------ C:\WINDOWS\mozver.dat 2007-08-14 01:25 <DIR> d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Talkback 2007-08-14 01:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater 2007-08-12 15:58 <DIR> d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\System Tweaker 2007-08-12 15:41 4,182,768 --a------ C:\RegistryBooster by liutilities.com 2007-08-12 15:41 <DIR> d-------- C:\Program Files\Uniblue 2007-08-12 15:41 <DIR> d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Uniblue 2007-08-11 14:13 <DIR> d-------- C:\Program Files\ScanSpyware v3.8 2007-08-11 04:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-08-11 03:32 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google 2007-08-11 01:22 <DIR> d-------- C:\Program Files\Lavasoft 2007-08-11 01:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-11 01:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-10 05:01 15,505,200 --a------ C:\IE7-WindowsXP-x86-enu.exe 2007-08-10 02:09 1,126,352 -r-hs---- C:\WINDOWS\jmfmfybA.exe 2007-08-10 02:08 <DIR> d-------- C:\Temp 2007-08-07 20:22 155,648 --a------ C:\WINDOWS\system32\igfxres.dll 2007-08-07 19:43 <DIR> d-------- C:\Program Files\Intel 2007-08-07 19:11 57,344 --------- C:\WINDOWS\system32\BCMWLD2K.EXE 2007-08-07 19:11 139,264 --------- C:\WINDOWS\system32\BCMWLU00.EXE 2007-08-07 19:10 <DIR> d-------- C:\WINDOWS\Drivers 2007-08-07 19:08 90,112 --a------ C:\WINDOWS\system32\mdmxsdk.dll 2007-08-07 19:08 682,624 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys 2007-08-07 19:08 32,218 --a------ C:\WINDOWS\system32\HSFCI009.dll 2007-08-07 19:08 199,552 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys 2007-08-07 19:08 11,043 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys 2007-08-07 19:08 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys 2007-08-07 19:08 <DIR> d-------- C:\WINDOWS\OPTIONS 2007-08-07 19:08 <DIR> d-------- C:\Program Files\CONEXANT 2007-08-03 09:35 <DIR> d-------- C:\Program Files\iTunes 2007-08-03 09:35 <DIR> d-------- C:\Program Files\iPod 2007-08-03 09:33 <DIR> d-------- C:\Program Files\Common Files\Apple (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-24 11:53 --------- d-------- C:\Program Files\Spyware Doctor 2007-08-24 02:48 --------- d-------- C:\Program Files\MSN Messenger 2007-08-24 02:40 --------- d-------- C:\Program Files\Google 2007-08-24 02:40 --------- d-------- C:\Program Files\ESPNRunTime 2007-08-24 01:04 --------- d-------- C:\Program Files\Privacy Guardian 2007-08-24 01:03 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-08-14 17:02 82248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-08-14 17:02 57672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-08-14 17:02 40264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-08-14 17:02 29000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-08-14 01:22 --------- d-------- C:\Program Files\Common Files\Real 2007-08-14 01:21 --------- d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Real 2007-08-12 11:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-08-11 01:28 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-11 01:28 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-10 21:56 --------- d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Lavasoft 2007-08-08 21:26 --------- d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Sonic 2007-08-07 21:00 --------- d-------- C:\Program Files\The Weather Channel FW 2007-08-07 19:42 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-07 19:42 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-07 19:41 2067 -rahs---- C:\WINDOWS\system32\drivers\HP_hp pavilion ze4900 (PR300UA ABA)_YN_Pavi_QCNF448_E_4_I3084_SQuanta_V41.0B_BF.15_T041109_WXH2_L409_M735_J40_7Intel_8Celeron M_91.3_1_N10EC8139_P104CAC50_Z808624C6_K_A808624C5_U808624C2_G80863582.MRK 2007-08-07 19:12 --------- d-------- C:\Program Files\HPQ 2007-08-03 09:34 --------- d-------- C:\Program Files\Apple Software Update 2007-08-03 09:31 50005304 --a------ C:\iTunesSetup.exe 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll 2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll 2007-07-12 22:36 --------- d-------- C:\Program Files\QuickTime 2007-07-12 22:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-12 16:31 765952 --------- C:\WINDOWS\system32\dllcache\vgx.dll 2007-06-27 22:12 --------- d-------- C:\Program Files\PokerPages Software 2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll 2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll 2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll 2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-06-27 07:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll 2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll 2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll 2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll 2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll 2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll 2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll 2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll 2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll 2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe 2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll 2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll 2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll 2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe 2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe 1989-12-12 17:10:10 1,126,352 --sh--r C:\WINDOWS\jmfmfybA.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41195973-3DAA-437D-AA93-CCF50F95EAA2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{695074C9-13FF-4574-D88A-706F5F32D27F}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E33FCB6-5F31-4578-AF9B-7D3F85BC8E62}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2B96126-7639-4F86-DA8E-092A5065E148}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB975708-4513-416E-AA8F-37CDDCC251F2}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-30 01:33] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54] "HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 19:55] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 08:33] "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 10:15] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 10:15] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-30 01:46] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2007-08-07 19:41] "jmfmfybA"="C:\WINDOWS\jmfmfybA.exe" [1989-12-12 10:10] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 01:15] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkljj] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkk] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] R2 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\system32\Machnm32.sys S2 pciinfo;HP Pci Information;\??\C:\DOCUME~1\PHILRO~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys Contents of the 'Scheduled Tasks' folder 2007-08-23 23:45:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-25 21:35:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????5?1?5?1??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-25 21:41:08 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-25 21:40 --- E O F --- |
|
|
|
|
08-27-2007, 08:30 AM
|
#6 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista
|
Re: Zedo infection, numerous pop-ups, slow system
Hello Phil,
 Our apologies for the oversight of your thread. You've done a fine job so far.  Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Clear your Temp and Temporary Internet Files: Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files are 'checked' and click OK. -------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java:
Now, please run another online scan at Kaspersky and save the results. ------------------------------------------------------------ Run a new scan with HijackThis and save the log. ------------------------------------------------------------ Please include the following in your next reply: C:\ComboFix.txt Kapsersky results New HijackThis log Update on system behavior |
|
|
|
|
|
08-28-2007, 03:00 AM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Re: Zedo infection, numerous pop-ups, slow system
 Ried,Please include the following in your next reply: C:\ComboFix.txt Kaspersky results New HijackThis log Update on system behavior -------------------------------------------------------------- C:\ComboFix.txt ComboFix 07-08-26 - "Phil Ross" 2007-08-27 21:37:08.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.460 [GMT -7:00] Command switches used :: C:\Documents and Settings\Phil Ross\Desktop\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\jmfmfybA.exe ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\VundoFix Backups C:\WINDOWS\jmfmfybA.exe ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-28 ))))))))))))))))))))))))))))))) 2007-08-25 21:27 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-25 02:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-08-25 02:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-08-22 00:36 <DIR> d-------- C:\Deckard 2007-08-22 00:14 315,590 --a------ C:\Program Files\ie-spyad_zo.exe 2007-08-22 00:14 <DIR> d-------- C:\ie-spyad_zo 2007-08-21 23:56 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-21 23:55 2,566,736 --a------ C:\Program Files\spywareblastersetup351.exe 2007-08-19 18:15 14,920,632 --a------ C:\Program Files\sdsetup.exe 2007-08-15 02:43 11,776 --a------ C:\WINDOWS\system32\regsvr32.exe 2007-08-15 02:43 11,776 --a------ C:\WINDOWS\system32\dllcache\regsvr32.exe 2007-08-14 03:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-14 02:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-08-14 02:28 12,413,440 --a------ C:\Program Files\Ewido (avgas-setup-7.5.1.43).exe 2007-08-14 01:35 1,156 --a------ C:\WINDOWS\mozver.dat 2007-08-14 01:25 <DIR> d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Talkback 2007-08-14 01:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater 2007-08-12 15:58 <DIR> d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\System Tweaker 2007-08-12 15:41 4,182,768 --a------ C:\RegistryBooster by liutilities.com 2007-08-12 15:41 <DIR> d-------- C:\Program Files\Uniblue 2007-08-12 15:41 <DIR> d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Uniblue 2007-08-11 14:13 <DIR> d-------- C:\Program Files\ScanSpyware v3.8 2007-08-11 04:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-08-11 03:32 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google 2007-08-11 01:22 <DIR> d-------- C:\Program Files\Lavasoft 2007-08-11 01:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-11 01:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-10 05:01 15,505,200 --a------ C:\IE7-WindowsXP-x86-enu.exe 2007-08-10 02:08 <DIR> d-------- C:\Temp 2007-08-07 20:22 155,648 --a------ C:\WINDOWS\system32\igfxres.dll 2007-08-07 19:43 <DIR> d-------- C:\Program Files\Intel 2007-08-07 19:11 57,344 --------- C:\WINDOWS\system32\BCMWLD2K.EXE 2007-08-07 19:11 139,264 --------- C:\WINDOWS\system32\BCMWLU00.EXE 2007-08-07 19:10 <DIR> d-------- C:\WINDOWS\Drivers 2007-08-07 19:08 90,112 --a------ C:\WINDOWS\system32\mdmxsdk.dll 2007-08-07 19:08 682,624 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys 2007-08-07 19:08 32,218 --a------ C:\WINDOWS\system32\HSFCI009.dll 2007-08-07 19:08 199,552 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys 2007-08-07 19:08 11,043 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys 2007-08-07 19:08 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys 2007-08-07 19:08 <DIR> d-------- C:\WINDOWS\OPTIONS 2007-08-07 19:08 <DIR> d-------- C:\Program Files\CONEXANT 2007-08-03 09:35 <DIR> d-------- C:\Program Files\iTunes 2007-08-03 09:35 <DIR> d-------- C:\Program Files\iPod 2007-08-03 09:33 <DIR> d-------- C:\Program Files\Common Files\Apple (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-26 22:25 --------- d-------- C:\Program Files\MSN Messenger 2007-08-26 22:16 --------- d-------- C:\Program Files\Google 2007-08-26 22:16 --------- d-------- C:\Program Files\ESPNRunTime 2007-08-26 21:35 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-08-26 21:31 --------- d-------- C:\Program Files\Spyware Doctor 2007-08-24 01:04 --------- d-------- C:\Program Files\Privacy Guardian 2007-08-14 17:02 82248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-08-14 17:02 57672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-08-14 17:02 40264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-08-14 17:02 29000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-08-14 01:22 --------- d-------- C:\Program Files\Common Files\Real 2007-08-14 01:21 --------- d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Real 2007-08-12 11:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-08-11 01:28 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-11 01:28 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-10 21:56 --------- d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Lavasoft 2007-08-08 21:26 --------- d-------- C:\DOCUME~1\PHILRO~1\APPLIC~1\Sonic 2007-08-07 21:00 --------- d-------- C:\Program Files\The Weather Channel FW 2007-08-07 19:42 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-07 19:42 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-07 19:41 2067 -rahs---- C:\WINDOWS\system32\drivers\HP_hp pavilion ze4900 (PR300UA ABA)_YN_Pavi_QCNF448_E_4_I3084_SQuanta_V41.0B_BF.15_T041109_WXH2_L409_M735_J40_7Intel_8Celeron M_91.3_1_N10EC8139_P104CAC50_Z808624C6_K_A808624C5_U808624C2_G80863582.MRK 2007-08-07 19:12 --------- d-------- C:\Program Files\HPQ 2007-08-03 09:34 --------- d-------- C:\Program Files\Apple Software Update 2007-08-03 09:31 50005304 --a------ C:\iTunesSetup.exe 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll 2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll 2007-07-12 22:36 --------- d-------- C:\Program Files\QuickTime 2007-07-12 22:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-12 16:31 765952 --------- C:\WINDOWS\system32\dllcache\vgx.dll 2007-06-27 22:12 --------- d-------- C:\Program Files\PokerPages Software 2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll 2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll 2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll 2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-06-27 07:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll 2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll 2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll 2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll 2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll 2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll 2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll 2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll 2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll 2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe 2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll 2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll 2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll 2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe 2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-30 01:33] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54] "HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 19:55] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 08:33] "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 10:15] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 10:15] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-30 01:46] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2007-08-07 19:41] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 01:15] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] R2 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\system32\Machnm32.sys S2 pciinfo;HP Pci Information;\??\C:\DOCUME~1\PHILRO~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys Contents of the 'Scheduled Tasks' folder 2007-08-23 23:45:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-27 21:38:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????5?1?5?1??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-27 21:39:53 C:\ComboFix-quarantined-files.txt ... 2007-08-27 21:39 C:\ComboFix2.txt ... 2007-08-25 21:41 --- E O F --- Kaspersky results KASPERSKY ONLINE SCANNER REPORT Tuesday, August 28, 2007 12:16:37 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 28/08/2007 Kaspersky Anti-Virus database records: 393117 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ Scan Statistics Total number of scanned objects 62535 Number of viruses found 1 Number of infected objects 2 Number of suspicious objects 0 Duration of the scan process 01:39:04 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\muvee Technologies\030410\0102\0102\values Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Phil Ross\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\History\History.IE5\MSHist012007082720070828\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temp\~DF7629.tmp Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temp\~DF7636.tmp Object is locked skipped C:\Documents and Settings\Phil Ross\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Phil Ross\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Phil Ross\ntuser.dat.LOG Object is locked skipped C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\jmfmfybA.exe.vir Infected: Trojan-Downloader.Win32.VB.ang skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP816\A0067760.exe Infected: Trojan-Downloader.Win32.VB.ang skipped C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP818\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. New HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 12:18:23 AM, on 8/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Documents and Settings\Phil Ross\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://money.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/C...ataManager.CAB O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C0A02239-0FE8-4154-BC2A-E4FF540FAA27}: NameServer = 216.228.160.5,216.228.160.36 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe Update on system behavior (after having followed your instructions precisely) -no pop-ups have occured since reboot(zedo or otherwise) -however, as you obviously see above, scan results still indicate infection -system still seems to be a bit on the "sluggish" side Is this a pretty run-of-the-mill infection or does it seem pretty nasty to you? Regardless, HUGE thanks to you for your assistance. -Phil |
|
|
|
|
08-28-2007, 07:12 AM
|
#8 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista
|
Re: Zedo infection, numerous pop-ups, slow system
Hi Phil,
To me, any infection that places itself in such a way as to run itself at startup, is nasty.  Kaspersky is only reporting items that are already safely quarantined and in your system restore. Will take care of that now. Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following Folder C:\ Qoobox -------------------------------------------------------------------- Regarding the sluggishness, you already have Ad-Aware 2007 active on your system. AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools, but you may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so: Open AVG Anti-Spyware.
Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: Ensure Windows Auto Update is Enabled *Go to Start>Run - type wuaucpl.cpl *Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will flush out previous restore points (which contain the infections) and create a new restore point. ************************************************************************************** To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Update, and scan with your onboard Anti-Malware programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically.
|
|
|
|
|
08-28-2007, 02:42 PM
|
#9 (permalink) |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Re: Zedo infection, numerous pop-ups, slow system
Outstanding!
System is much quicker and best of all, no pesky pop-ups! Woo hoo! A couple of quick questions for you, then we'll get this one all wrapped-up; I've got a brand new laptop: http://www.amazon.com/exec/obidos/AS...nnorswebguidec After rebates, total price was $1,199 and free shipping which I thought was a pretty good price for a 17" with 240gb hd (dual 120's). The 1.5ghz might be a bit on the slow-side though huh? (As info, this new one has NOT been connected to my WAP yet because I wanted to FULLY resolve all issues with my current one.) So questions are; 1) Does it seem to you like this is a pretty decent little notebook pc? 2) I'm thinking about switching to Firefox(from IE) as I've heard that it's more secure and quite a bit quicker in regards to page load times. What are your thoughts and recommendations here? 3) Given the infection/virus that was (but now gone  ) on my old laptop, I'm concerned about the possibility that some type of keylogger, hack or whatever may have viewed everything on my system(WEP key, SSID(?) or whatever). What would you recommend I do here to be a "safe surfer" once again in regards to the WEP key, etc? (As info, I've already followed your suggestions from your last post.) (After the infection was discovered, I went to my wife's PC(connected by cat5e) and changed my iTunes password which had my AMEX card info in it. However, I have NOT changed my AMEX account number, but I do monitor that account closely for bogus charges.) Thanks for everything Ried! You're the bomb! -Phil |
|
|
|
|
08-28-2007, 02:58 PM
|
#10 (permalink) |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Re: Zedo infection, numerous pop-ups, slow system
Forgot to ask....
4) So at this point I'm going to pare down to just a few of your recommended Malware tools. Ried's recommended: -AVG -SpwareBlaster -McAfee Site Adviser But I'd like to keep these: -Spyware Doctor by PC Tools -Registry Mechanic by PC Tools -Privacy Guardian by PC Tools (Perhaps it's not too swift of me to want to keep them. After all, they didn't do too much to prevent the recent infection.) Possibilities for deletion: I've got a fair amount of stuff that's been added to my system to resolve my issue. I'd like to delete the following(and any of their scan logs) with your permission: -ComboFix -Vundo -HJT -DSS (Deckard's) -Kaspersky -Ad-Aware se1.06 (already deleted when upgraded to 2007 version) -Ad-Aware 2007 -Spybot S&D -BitDefender -ScanSpyware v3.8 -RegistryBooster2 by Uniblue -Panda ActiveScan (of course, some of these are just shortcuts on my desktop) As info, my wife will now be using my old laptop for her business, so it's even more crucial that it be clean. (Didn't want you to think that we did all this on a laptop that's going to go by the wayside. Hardly.) I can't thank you enough! -Phil Last edited by Drum_Phil; 08-28-2007 at 03:03 PM. |
|
|
|
|
08-28-2007, 09:31 PM
|
#11 (permalink) | |||
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista
|
Re: Zedo infection, numerous pop-ups, slow system
Hi Phil,
Quote:
If you'd like expert opinion, you'd do better asking this question of the folks in the Hardware section. Quote:
Quote:
--------------------------------------- The programs I recommended, were based on what I already saw installed on your system. My list is usually a bit longer.  Keep: HijackThis and dss.exe for future use, should you suspect malware issues with your system. Run a scan with dss.exe and begin a new thread, posting the main.txt. (hopefully you won't need to again) AVG A-S is another, but call it into use only when needed. Leave Ad-Aware as your active protection since AVG A-S resident shield will time-out after 30 days unless you purchase the program. There is no need to purchase it as it will continue to update and clean your system, you'll just lose the active protection. Nothing, and no combination of anti-malware and anti-virus tools can stop everything, but a multi-layered approach goes a long way in thwarting infections. As an example, I currently have this setup: AVG free AV Comodo Free Personal Firewall AVG A-S Spybot S&D AdawareSE (haven't seen the need to upgrade yet )Spyware Blaster McAfee Site Advisor (big help when I'm researching via Google. When I'm using Firefox, I can see at a glance which are safe sites to go to.) Personally, I would drop Spyware Doctor when the subscription runs out. It's not a bad program, but with Ad-Aware, Spybot S&D and AVG A-S, you have plenty of protection and ways to scan and clean the system. ------------------------------------- You may go ahead and delete any of the other tools (and their folders) that were used to clean the system. Also, here are 2 very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan. I hope I covered it all.
|
|||
|
|
|
|
08-28-2007, 10:21 PM
|
#12 (permalink) | |
|
Registered User
Join Date: Aug 2007
Location: Oregon
Posts: 11
OS: Windows XP
|
Re: Zedo infection, numerous pop-ups, slow system
Excellent! You've covered everything. I'm saving a copy of this thread in notepad just in case the archived thread in the Resolved HJT forum should ever fall-off.
One last thing and you can close the thread. Please cut-n-paste the text in the quote box below and include it in your final reply. It is very important to follow this step precisely to insure that this thread is resolved fully. Quote:
Sincere thanks to YOU!
Last edited by Ried; 08-29-2007 at 07:24 AM. Reason: removed [size=7] font. LOL |
|
|
|
|
|
08-28-2007, 11:37 PM
|
#13 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,938
OS: WinXP and Vista
|
Re: Zedo infection, numerous pop-ups, slow system
Well thank you very much, but it's the experts who write the tools we have at our disposal, who are the real geniuses.
|
|
|
|
| Thread Tools | |
|
|
