Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 24 Posts

·
Registered
Joined
·
12 Posts
Discussion Starter · #1 ·
Hi,

It appears that one of our home computers has been infected with troj_agent.inc, based on both the anti-virus software messages and some anecdotal evidence (unwanted processes running that match virus descriptions, viral entries in the registry that immediately reappear even after manual removing with regedit, etc.).

The PC is running Windows XP, SP2. When my kids called to report the problem, I immediately had them disconnect from the internet, and it has not been reconnected since.

Below is the DDS log, and the zipped attach.txt file is attached.

Any help or suggestions you can offer would be greatly appreciated.

Thanks,


DDS (Ver_09-03-16.01) - NTFSx86
Run by at 9:23:03.17 on Fri 05/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.151 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: {a0ba6929-aea3-4656-af01-65bdeaebee59} - c:\windows\system32\wegaloru.dll
BHO: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [Ywujuy] rundll32.exe "c:\windows\Hmiqasaxoga.dll",e
mRun: [niralekozi] Rundll32.exe "c:\windows\system32\lopibeki.dll",s
mRun: [CPM33b1c5d6] Rundll32.exe "c:\windows\system32\delutaha.dll",a
mRun: [3082f64a] rundll32.exe "c:\windows\system32\veyetidi.dll",b
mRun: [Nxecoludosayerox] rundll32.exe "c:\windows\aqipuveb.dll",e
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\suhaleti.dll c:\windows\system32\yanadeya.dll c:\windows\system32\delutaha.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\delutaha.dll
STS: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\delutaha.dll
LSA: Notification Packages = scecli c:\windows\system32\yanadeya.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {68A63756-BEDA-4B8F-AC7F-6854F52A55EC} - c:\documents and settings\nicole\local settings\application data\{68A63756-BEDA-4B8F-AC7F-6854F52A55EC}
FF - HiddenExtension: XUL Cache: {32D5DCC0-A54B-4E73-8EAB-9BBF0B158C16} - c:\documents and settings\michael\local settings\application data\{32D5DCC0-A54B-4E73-8EAB-9BBF0B158C16}
FF - HiddenExtension: XUL Cache: {BC077293-0BC0-45CA-8591-EB4729FD131E} - c:\documents and settings\holly\local settings\application data\{BC077293-0BC0-45CA-8591-EB4729FD131E}
FF - HiddenExtension: XUL Cache: {06B21EA1-8F31-4C05-BC25-FCD24A946ECC} - c:\documents and settings\larissa\local settings\application data\{06b21ea1-8f31-4c05-bc25-fcd24a946ecc}\

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S2 FCI;FCI;c:\windows\system32\svchost.exe:ext.exe --> c:\windows\system32\svchost.exe:ext.exe [?]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe [2009-4-29 28762]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-5-7 57344]

=============== Created Last 30 ================

2009-05-01 07:03 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-01 06:59 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-30 18:41 1 ----h--- c:\windows\f23567.dat
2009-04-30 18:41 34,304 ----h--- c:\windows\freddy41.exe
2009-04-30 18:41 2 ----h--- c:\windows\t55ft2667f44.dat
2009-04-30 16:41 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-04-30 16:41 10,752 ----h--- c:\windows\pp06.exe
2009-04-30 16:41 2 ----h--- c:\windows\t55ft2692f44.dat
2009-04-30 16:40 14,848 a------- c:\windows\system32\DL32.exe
2009-04-30 16:40 <DIR> --d----- c:\windows\system32\796525
2009-04-30 16:40 0 a------- c:\windows\mqcd.dbt
2009-04-30 16:40 16,384 ----h--- c:\windows\ld08.exe
2009-04-30 04:39 1,407,011 ---sh--- c:\windows\system32\iditeyev.ini
2009-04-27 04:16 1,407,011 ---sh--- c:\windows\system32\isehohel.ini
2009-04-26 16:15 9,216 a------- c:\windows\instsp2.exe
2009-04-20 14:06 146,944 a------- c:\windows\ejibaqey.dll
2009-04-16 21:26 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:26 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:26 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 21:26 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-16 21:26 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 21:26 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:26 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:26 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:26 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:26 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:24 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 21:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-13 11:06 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0

==================== Find3M ====================

2009-05-01 09:23 94,204 a------- c:\windows\system32\drivers\18ee5625.sys
2009-04-30 16:40 101,888 a------- C:\wwmeoblk.exe
2009-04-30 16:39 7,680 a------- C:\celkadaa.exe
2009-04-30 16:39 577,536 a------- c:\windows\system32\user32.DLL
2009-04-30 16:39 577,536 a------- c:\windows\system32\dllcache\user32.dll
2009-04-30 16:39 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-30 16:39 14,336 a------- c:\windows\system32\OLD50.tmp
2009-04-30 16:39 113,664 a------- C:\kggi.exe
2009-04-30 16:39 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll
2009-04-30 16:39 62,464 a--sh--- c:\windows\system32\pebudure.exe
2009-04-30 16:39 105,472 a--sh--- c:\windows\system32\delutaha.dll
2009-04-30 16:39 102,400 a--sh--- c:\windows\system32\zajosola.dll
2009-04-30 04:40 69,120 a--sh--- c:\windows\system32\bufezika.dll
2009-04-30 04:39 105,472 a--sh--- c:\windows\system32\hoguforu.dll
2009-04-30 04:39 60,416 a--sh--- c:\windows\system32\miwajiho.exe
2009-04-30 04:39 97,792 -------- c:\windows\system32\veyetidi.dll
2009-04-29 16:42 28,672 a------- c:\windows\system32\f3PSSavr.scr
2009-04-29 16:39 105,984 a--sh--- c:\windows\system32\yisawaje.dll
2009-04-29 16:39 98,304 a--sh--- c:\windows\system32\hizitapi.dll
2009-04-29 16:39 60,416 a--sh--- c:\windows\system32\wofurave.exe
2009-04-27 16:16 98,304 a--sh--- c:\windows\system32\sulowogu.dll
2009-04-27 16:16 105,984 a--sh--- c:\windows\system32\suhaleti.dll.vir
2009-04-27 16:16 58,368 a--sh--- c:\windows\system32\wepafehi.exe
2009-04-27 04:16 105,472 a--sh--- c:\windows\system32\fumomeme.dll.vir
2009-04-27 04:15 60,928 a--sh--- c:\windows\system32\kevejupu.exe
2009-04-26 16:15 97,280 a--sh--- c:\windows\system32\nomojumi.dll
2009-04-26 16:15 105,984 a--sh--- c:\windows\system32\barakihu.dll
2009-04-26 16:15 59,904 a--sh--- c:\windows\system32\lewenemu.exe
2009-03-21 09:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-07 10:44 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 18:27 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 16:44 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-19 04:50 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-02-09 05:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:20 723,456 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 12:24 2,180,480 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:22 2,136,064 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:22 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 12:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:49 2,015,744 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:49 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:49 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:08 55,808 a------- c:\windows\system32\secur32.dll
2009-02-03 15:08 55,808 -------- c:\windows\system32\dllcache\secur32.dll
2009-01-30 04:40 69,120 a--sh--- c:\windows\system32\lopibeki.dll
2009-01-26 16:09 67,072 a--sh--- c:\windows\system32\mezakuga.dll.vir
2009-01-29 16:39 68,608 a--sh--- c:\windows\system32\sofajesa.dll
2009-01-30 04:40 69,120 a--sh--- c:\windows\system32\wegaloru.dll
2009-01-30 04:40 69,120 a--sh--- c:\windows\system32\yanadeya.dll.vir

============= FINISH: 9:24:12.45 ===============
 

Attachments

·
Registered
Joined
·
553 Posts
Hello and welcome to Tech Support Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!
 

·
Registered
Joined
·
553 Posts
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated)

Please update PC-cillin ASAP. You should always have your Anti-Virus program up to date at all times.

You missed a step in the NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help thread. Please go back to that thread and follow the instructions for downloading and running GMER. Post the GMER Log in your next post/reply.


After you've done that, do the following:

Step # 1: Add/Remove Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

My Web Search

MyWay Search Assistant


Reboot your Computer.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #5 ·
Yes - definitely still need help. Sorry for the delay. I was away for a few days. I will respond later today with the suggested responses (and the missing file).

Thanks again for your help.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #6 ·
km2357,

OK, let's try again with a fresh set of logs. I removed the two programs suggested (My Web Search and MyWay Search Assistant) and rebooted as instructed. I then gathered a clean set of the requested scripts and logs. The DDS log is below, and the zip file with the ark.txt and Attach.txt logs are attached to this post.

I also acknowledge and agree with your suggestion to update the TrendMicro AV software to the latest version, and will do so, but did not want to reconnect to the internet at the moment. I assume this can wait until we get a bit further along?

Thanks again for your help, and I apologize again for the delay in the follow-up to provide the missing ark.txt log.


DDS (Ver_09-03-16.01) - NTFSx86
Run by at 21:28:12.79 on Thu 05/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.113 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\windows\ld08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
BHO: {a0ba6929-aea3-4656-af01-65bdeaebee59} - c:\windows\system32\wegaloru.dll
BHO: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [Ywujuy] rundll32.exe "c:\windows\Hmiqasaxoga.dll",e
mRun: [niralekozi] Rundll32.exe "c:\windows\system32\lopibeki.dll",s
mRun: [CPM33b1c5d6] Rundll32.exe "c:\windows\system32\delutaha.dll",a
mRun: [3082f64a] rundll32.exe "c:\windows\system32\veyetidi.dll",b
mRun: [Nxecoludosayerox] rundll32.exe "c:\windows\aqipuveb.dll",e
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\suhaleti.dll c:\windows\system32\yanadeya.dll c:\windows\system32\delutaha.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\delutaha.dll
STS: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\delutaha.dll
LSA: Notification Packages = scecli c:\windows\system32\yanadeya.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {68A63756-BEDA-4B8F-AC7F-6854F52A55EC} - c:\documents and settings\nicole\local settings\application data\{68A63756-BEDA-4B8F-AC7F-6854F52A55EC}
FF - HiddenExtension: XUL Cache: {32D5DCC0-A54B-4E73-8EAB-9BBF0B158C16} - c:\documents and settings\michael\local settings\application data\{32D5DCC0-A54B-4E73-8EAB-9BBF0B158C16}
FF - HiddenExtension: XUL Cache: {BC077293-0BC0-45CA-8591-EB4729FD131E} - c:\documents and settings\holly\local settings\application data\{BC077293-0BC0-45CA-8591-EB4729FD131E}
FF - HiddenExtension: XUL Cache: {06B21EA1-8F31-4C05-BC25-FCD24A946ECC} - c:\documents and settings\larissa\local settings\application data\{06b21ea1-8f31-4c05-bc25-fcd24a946ecc}\

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S2 FCI;FCI;c:\windows\system32\svchost.exe:ext.exe --> c:\windows\system32\svchost.exe:ext.exe [?]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-5-7 57344]

=============== Created Last 30 ================

2009-05-07 20:49 1,995 ---sh--- c:\windows\system32\vakumene.exe
2009-05-07 13:47 434,271 a------- c:\program files\Uninstall Fun Web Products.dll
2009-05-04 13:45 1,995 ---sh--- c:\windows\system32\rihinopu.exe
2009-05-03 19:44 1,995 ---sh--- c:\windows\system32\ketafuze.exe
2009-05-02 07:42 1,995 ---sh--- c:\windows\system32\pikasoso.exe
2009-05-01 13:41 1,995 ---sh--- c:\windows\system32\hikepohe.exe
2009-05-01 07:03 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-01 06:59 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-30 18:41 1 ----h--- c:\windows\f23567.dat
2009-04-30 18:41 34,304 ----h--- c:\windows\freddy41.exe
2009-04-30 18:41 2 ----h--- c:\windows\t55ft2667f44.dat
2009-04-30 16:41 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-04-30 16:41 10,752 ----h--- c:\windows\pp06.exe
2009-04-30 16:41 2 ----h--- c:\windows\t55ft2692f44.dat
2009-04-30 16:40 14,848 a------- c:\windows\system32\DL32.exe
2009-04-30 16:40 <DIR> --d----- c:\windows\system32\796525
2009-04-30 16:40 0 a------- c:\windows\mqcd.dbt
2009-04-30 16:40 16,384 ----h--- c:\windows\ld08.exe
2009-04-30 04:39 1,407,011 ---sh--- c:\windows\system32\iditeyev.ini
2009-04-27 04:16 1,407,011 ---sh--- c:\windows\system32\isehohel.ini
2009-04-26 16:15 9,216 a------- c:\windows\instsp2.exe
2009-04-20 14:06 146,944 a------- c:\windows\ejibaqey.dll
2009-04-16 21:26 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:26 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:26 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 21:26 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-16 21:26 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 21:26 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:26 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:26 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:26 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:26 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:24 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 21:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-13 11:06 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0

==================== Find3M ====================

2009-05-07 21:28 94,204 a------- c:\windows\system32\drivers\18ee5625.sys
2009-04-30 16:40 101,888 a------- C:\wwmeoblk.exe
2009-04-30 16:39 7,680 a------- C:\celkadaa.exe
2009-04-30 16:39 577,536 a------- c:\windows\system32\user32.DLL
2009-04-30 16:39 577,536 a------- c:\windows\system32\dllcache\user32.dll
2009-04-30 16:39 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-30 16:39 14,336 a------- c:\windows\system32\OLD50.tmp
2009-04-30 16:39 113,664 a------- C:\kggi.exe
2009-04-30 16:39 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll
2009-04-30 16:39 62,464 a--sh--- c:\windows\system32\pebudure.exe
2009-04-30 16:39 105,472 a--sh--- c:\windows\system32\delutaha.dll
2009-04-30 16:39 102,400 a--sh--- c:\windows\system32\zajosola.dll
2009-04-30 04:40 69,120 a--sh--- c:\windows\system32\bufezika.dll
2009-04-30 04:39 105,472 a--sh--- c:\windows\system32\hoguforu.dll
2009-04-30 04:39 60,416 a--sh--- c:\windows\system32\miwajiho.exe
2009-04-30 04:39 97,792 -------- c:\windows\system32\veyetidi.dll
2009-04-29 16:39 105,984 a--sh--- c:\windows\system32\yisawaje.dll
2009-04-29 16:39 98,304 a--sh--- c:\windows\system32\hizitapi.dll
2009-04-29 16:39 60,416 a--sh--- c:\windows\system32\wofurave.exe
2009-04-27 16:16 98,304 a--sh--- c:\windows\system32\sulowogu.dll
2009-04-27 16:16 105,984 a--sh--- c:\windows\system32\suhaleti.dll.vir
2009-04-27 16:16 58,368 a--sh--- c:\windows\system32\wepafehi.exe
2009-04-27 04:16 105,472 a--sh--- c:\windows\system32\fumomeme.dll.vir
2009-04-27 04:15 60,928 a--sh--- c:\windows\system32\kevejupu.exe
2009-04-26 16:15 97,280 a--sh--- c:\windows\system32\nomojumi.dll
2009-04-26 16:15 105,984 a--sh--- c:\windows\system32\barakihu.dll
2009-04-26 16:15 59,904 a--sh--- c:\windows\system32\lewenemu.exe
2009-03-21 09:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-07 10:44 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 18:27 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 16:44 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-19 04:50 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-02-09 05:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:20 723,456 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-30 04:40 69,120 a--sh--- c:\windows\system32\lopibeki.dll
2009-01-26 16:09 67,072 a--sh--- c:\windows\system32\mezakuga.dll.vir
2009-01-29 16:39 68,608 a--sh--- c:\windows\system32\sofajesa.dll
2009-01-30 04:40 69,120 a--sh--- c:\windows\system32\wegaloru.dll
2009-01-30 04:40 69,120 a--sh--- c:\windows\system32\yanadeya.dll.vir

============= FINISH: 21:29:41.84 ===============
 

Attachments

·
Registered
Joined
·
553 Posts
Thanks for posting the fresh set of logs. :smile:

I also acknowledge and agree with your suggestion to update the TrendMicro AV software to the latest version, and will do so, but did not want to reconnect to the internet at the moment. I assume this can wait until we get a bit further along?
Since the infected computer is not connected to the Internet at the moment, it's ok to not update Trend Micro for the time being. I will let you know when you can reconnect the infected computer to the Internet to update Trend Micro.


Let's get started:


Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
 

·
Registered
Joined
·
553 Posts
Thanks for the ComboFix Log. From now on, unless otherwise instructed, please post all logs in the thread, do not attach them. If you can't fit a log into one post, use multiple posts to get it all in.

Thanks. :smile:


Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    KILLALL::
    
    File::
    
    c:\windows\freddy41.exe
    c:\windows\t55ft2667f44.dat
    c:\windows\t55ft2692f44.dat
    C:\wwmeoblk.exe
    C:\celkadaa.exe
    C:\kggi.exe
    c:\windows\instsp2.exe
    c:\windows\ejibaqey.dll
    c:\windows\system32\OLD50.tmp
    c:\windows\system32\suhaleti.dll.vir
    c:\windows\system32\fumomeme.dll.vir
    c:\windows\system32\likayefo.dll.tmp
    c:\windows\system32\mezakuga.dll.vir
    c:\windows\system32\vofefupu.dll.tmp
    c:\windows\system32\yanadeya.dll.vir
    c:\windows\Hmiqasaxoga.dll
    c:\windows\aqipuveb.dll
    
    Registry::
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Ywujuy"=-
    "Nxecoludosayerox"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3529f7f4-3644-11de-8a11-00123fa6e8c1}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3529f7f5-3644-11de-8a11-00123fa6e8c1}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    
    DDS::
    
    IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZNfox000
    uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
    uDefault_Page_URL = hxxp://www.dell4me.com/myway
    mDefault_Page_URL = hxxp://www.dell4me.com/myway
    mStart Page = hxxp://www.dell4me.com/myway
    uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
    uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program 
    files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







    Note: This CFScript is for use on mpatx's computer only! Do not use it on your computer.

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #10 ·
Here is the latest ComboFix log, as requested, after following the most recent step:


ComboFix 09-05-08.03 - 05/09/2009 5:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.148 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*

FILE ::
C:\celkadaa.exe
C:\kggi.exe
c:\windows\aqipuveb.dll
c:\windows\ejibaqey.dll
c:\windows\freddy41.exe
c:\windows\Hmiqasaxoga.dll
c:\windows\instsp2.exe
c:\windows\system32\fumomeme.dll.vir
c:\windows\system32\likayefo.dll.tmp
c:\windows\system32\mezakuga.dll.vir
c:\windows\system32\OLD50.tmp
c:\windows\system32\suhaleti.dll.vir
c:\windows\system32\vofefupu.dll.tmp
c:\windows\system32\yanadeya.dll.vir
c:\windows\t55ft2667f44.dat
c:\windows\t55ft2692f44.dat
C:\wwmeoblk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\celkadaa.exe
C:\kggi.exe
c:\windows\aqipuveb.dll
c:\windows\ejibaqey.dll
c:\windows\freddy41.exe
c:\windows\Hmiqasaxoga.dll
c:\windows\instsp2.exe
c:\windows\system32\fumomeme.dll.vir
c:\windows\system32\likayefo.dll.tmp
c:\windows\system32\mezakuga.dll.vir
c:\windows\system32\OLD50.tmp
c:\windows\system32\suhaleti.dll.vir
c:\windows\system32\vofefupu.dll.tmp
c:\windows\system32\yanadeya.dll.vir
c:\windows\t55ft2667f44.dat
c:\windows\t55ft2692f44.dat
C:\wwmeoblk.exe
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-01 12:03 . 2009-05-01 12:22 -------- d-----w c:\windows\SxsCaPendDel
2009-04-20 19:06 . 2009-04-20 19:06 -------- d-----w c:\documents and settings\Larissa\Local Settings\Application Data\{06B21EA1-8F31-4C05-BC25-FCD24A946ECC}
2009-04-17 02:26 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 02:26 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-17 02:26 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 02:26 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 02:26 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 02:26 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 02:26 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 02:26 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 02:26 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 02:26 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 02:24 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:06 . 2009-04-13 16:06 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-09 03:29 . 2005-08-16 10:18 577536 ----a-w c:\windows\system32\user32.dll
2009-04-17 02:08 . 2009-02-22 21:14 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-13 16:02 . 2005-11-23 22:05 -------- d-----w c:\program files\Common Files\Intuit
2009-04-13 15:39 . 2007-04-09 14:06 -------- d-----w c:\program files\TurboTax
2009-03-07 15:44 . 2007-10-02 19:15 4184 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-07 15:44 . 2007-10-02 19:15 104 --sh--r c:\windows\system32\7BFF050E4F.sys
2009-03-06 14:44 . 2005-08-16 10:18 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:14 . 2005-08-16 10:18 668160 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2005-08-16 10:18 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-08-16 10:18 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2005-08-16 10:18 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2005-08-16 10:18 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2005-08-16 10:18 1846272 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-23 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 110592]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\Nicole\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 61440]

c:\documents and settings\Holly\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 61440]

c:\documents and settings\Larissa\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 61440]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-11-23 156784]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-3-1 972320]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-5-7 917611]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\America Online 9.0\\aoltray.exe"=
"c:\\Program Files\\Apple Software Update\\SoftwareUpdate.exe"=
"c:\\Program Files\\OpenOffice.org 2.0\\program\\soffice.bin"=
"c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:30 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:30 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:30 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:30 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:30 PM 262215]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [5/7/2006 8:37 PM 57344]
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 05:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\PRISMAPI.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\PRISMSVR.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\TRENDM~1\INTERN~1\pccguide.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-09 5:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-09 10:44
ComboFix2.txt 2009-05-09 03:40

Pre-Run: 56,413,466,624 bytes free
Post-Run: 56,508,334,080 bytes free

213 --- E O F --- 2009-04-18 16:01
 

·
Registered
Joined
·
553 Posts
You now need to reconnect the computer to the Internet. You'll need to be connected to the 'Net in order to download the latest updates/definitions for MalwareBytes' Anti-Malware.

You can also update Trend Micro's AV as well.


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u13.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java 2 Runtime Environment, SE v1.4.2_03

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.


Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #12 ·
I removed the Java Runtime and rebooted, as instructed, and then attempted to execute the downloaded Java installation file.

However, the Java installer gave the following error message and then prompted me to exit:

Error 1330. A file that is required cannot be installed because the cabinet files C:\Documents and Settings\Michael\Application Data\Sun\Java\...\Data1.cab has an invalid digital signature. This may indicate that the cabinet file is corrupt.
 

·
Registered
Joined
·
553 Posts
Step # 1: Download and Run JavaRa

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Once JavaRa is finished running, reboot your computer.

When your computer has started back up, try installing Java again.

Post the JavaRa Log in your next post and let me know if the Java installation was successful.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #14 ·
No change after running JavaRa, rebooting and then retrying the Java installation. The same error (regarding the possibly corrupted "cabinet file") occurs fairly early in the installation process.

Below is the JavaRa log.



JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun May 10 15:47:14 2009

------------------------------------

Finished reporting.
 

·
Registered
Joined
·
553 Posts
You can go ahead and delete JavaRa.zip, JavaRa.exe and the JavaRa logfile from your
computer.

It's possible the Java installation file you downloaded may have been corrupted during the download. Try deleting it and redownloading it again and see if it will let you install Java this time.


If that doesn't work, then try this next:

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.

Be sure to re-hide your files once you are finished cleaning your computer.


Once that is done, delete the following folders, if found:

C:\Documents and Settings\Michael\Application Data\Sun\Java

C:\Program Files\Java

Once those folders are deleted, reboot your computer and try installing Java again.

Let me know if either suggestions work.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #16 ·
Tried both options - still no change (same error message regarding the cabinet file).

I'm not sure if the problem is directly or indirectly related to the "infection" of the computer, but based on a brief Google search (from another computer), it sounds like a fairly common (but challenging) problem with certain Java installations.

Is it possible to temporarily set aside the Java re-installation and continue "cleaning" the machine? (i.e. you had suggested ATF and Malware steps following reinstallation of Java, etc.). Not that I am opposed to trying to resolve the Java issue first (as eventually it will need to be resolved), but if some of the remaining scans and disinfection can continue w/o Java, we can revisit Java later (with a "cleaner" computer).

But I will await your instruction... :1angel:
 

·
Registered
Joined
·
553 Posts
We can hold off on Java for now. We can come back to it with a "cleaner" computer to see if that makes a difference or not. We'll get it fixed before we are fully finished with your computer. :smile:

Go ahead and do Steps 2 and 3 (downloading and running ATF Cleaner and MalwareBytes' Anti-Malware) of Post #11 of this thread and post MalwareBytes's Log in your next post.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #18 ·
I ran ATF Cleaner and the Malwarebytes quick scan. Here is the Malwarebytes log after the quick scan and the "remove selected" step:


Malwarebytes' Anti-Malware 1.36
Database version: 2118
Windows 5.1.2600 Service Pack 2

5/12/2009 9:54:17 PM
mbam-log-2009-05-12 (21-54-17).txt

Scan type: Quick Scan
Objects scanned: 103017
Time elapsed: 10 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Larissa\Desktop\ZwinkySetup2.2.60.11-2.ZJfox000(2).exe (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\Documents and Settings\Larissa\Desktop\ZwinkySetup2.2.60.11-2.ZJfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole\Desktop\SmileyCentralPFSetup2.3.50.22.ZNfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
 

·
Registered
Joined
·
553 Posts
Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  1. Check (tick) this box: YES, I accept the Terms of Use.
  2. Click on the Start button next to it.
  3. When prompted to run ActiveX. click Yes.
  4. You will be asked to install an ActiveX. Click Install.
  5. Once installed, the scanner will be initialized.
  6. After the scanner is initialized, click Start.
  7. Uncheck (untick) Remove found threats box.
  8. Check (tick) Scan unwanted applications.
  9. Click on Scan.
  10. It will start scanning. Please be patient.
  11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. ESET Log
2. A fresh DDS Log
3. Besides the problem with Java, how is the computer doing? Any other problems?
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #20 ·
Ran ESET, and log is posted below, along with latest DDS log.

As for other operation of the computer, to be honest, I have intentionally avoided much use until the "cleaning" is complete. Aside from the Java issue, the main problem I had noticed prior to "cleaning' wss that QuickBooks no longer launched (the "loading" screen appears, but after a while the screen disappears and the program never appears, though a process for it shows up in the Task Manager. According to some Intuit support forums, it seems that the problem is often due to corruption of the MS .NET framework, but reinstalling that component did not solve the problem. (Note: I have not tried this recently - i.e. since the latest "cleaning")

And, of course, there is still the Java issue.

Anyway, here are the requested logs:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4070 (20090513)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=88cbfb9499b9b94c821e27ec49bfafc4
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-05-13 12:47:31
# local_time=2009-05-13 07:47:31 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=275205
# found=23
# scan_time=2414
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-09_05.35.09.ZIP multiple infiltrations 79DA8A46E0C2C3EE4A23B2B5299F6280
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-09_05.35.09.ZIP »ZIP »celkadaa.exe a variant of Win32/TrojanDownloader.Small.OOC trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-09_05.35.09.ZIP »ZIP »aqipuveb.dll a variant of Win32/Kryptik.JU trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-09_05.35.09.ZIP »ZIP »freddy41.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-09_05.35.09.ZIP »ZIP »Hmiqasaxoga.dll a variant of Win32/Cimag trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-09_05.35.09.ZIP »ZIP »instsp2.exe a variant of Win32/TrojanDownloader.Small.OOT trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-09_05.35.09.ZIP »ZIP »wwmeoblk.exe Win32/TrojanDropper.Delf.NKN trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir Win32/Koobface.HN worm 60D7DA70982D7B090640F0AE74FD1272
C:\Qoobox\Quarantine\C\WINDOWS\pp06.exe.vir probably a variant of Win32/Koobface.NAY worm 880159999FAC81C50E3BD9EAC77C6A93
C:\Qoobox\Quarantine\C\WINDOWS\system32\DL32.exe.vir a variant of Win32/Tinxy.AD trojan D2F6B30B8DCADE9A48FC081ACCB9468C
C:\Qoobox\Quarantine\C\WINDOWS\system32\hizitapi.dll.vir Win32/Agent.PHJ trojan A810C1FC73FAAD187352267D8D84459F
C:\Qoobox\Quarantine\C\WINDOWS\system32\iditeyev.ini.vir Win32/Adware.Virtumonde.NEO~datafile application A085B2B97454AE47FBB0ED0851713906
C:\Qoobox\Quarantine\C\WINDOWS\system32\isehohel.ini.vir Win32/Adware.Virtumonde.NEO~datafile application D445BD62F10D68ED6266DAF39BE5C7DF
C:\Qoobox\Quarantine\C\WINDOWS\system32\kevejupu.exe.vir Win32/Qhost.NJL trojan A35AEE56731CF881BEB21CABA8796BC6
C:\Qoobox\Quarantine\C\WINDOWS\system32\lewenemu.exe.vir Win32/Qhost.NJL trojan D00148D945A0953E224B98ADD4988B87
C:\Qoobox\Quarantine\C\WINDOWS\system32\nomojumi.dll.vir Win32/Agent.PHJ trojan 3831CB2F6302578847830EF7C9223486
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvrsk.dll.vir Win32/Pinit.J worm 483A28B4F3673170913EA691EA6DC400
C:\Qoobox\Quarantine\C\WINDOWS\system32\sjg9s8guigjs.dll.vir Win32/TrojanDownloader.Small.NTQ trojan BE64C8D27E584847F53A05C97A50876A
C:\Qoobox\Quarantine\C\WINDOWS\system32\sulowogu.dll.vir Win32/Agent.PHJ trojan B4F548B5268641B8DD573728B14D078C
C:\Qoobox\Quarantine\C\WINDOWS\system32\zajosola.dll.vir Win32/Agent.PHJ trojan 6EC9C955E8B98FF21EFA6A59F3168A22
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Cimag trojan BBEB79A9BD44CD1A70F9A4948690A7AD
C:\Qoobox\Quarantine\C\WINDOWS\system32\796525\796525.dll.vir Win32/BHO.NOE trojan 39B9F67A45039BF1AC69D8A0B11B158E
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE Win32/Adware.DSSAgent application B55C6DF7FDFBAFE93ECB36DB98D07D12



DDS (Ver_09-03-16.01) - NTFSx86
Run by at 8:04:44.54 on Wed 05/13/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.225 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {68A63756-BEDA-4B8F-AC7F-6854F52A55EC} - c:\documents and settings\nicole\local settings\application data\{68A63756-BEDA-4B8F-AC7F-6854F52A55EC}
FF - HiddenExtension: XUL Cache: {32D5DCC0-A54B-4E73-8EAB-9BBF0B158C16} - c:\documents and settings\michael\local settings\application data\{32D5DCC0-A54B-4E73-8EAB-9BBF0B158C16}
FF - HiddenExtension: XUL Cache: {BC077293-0BC0-45CA-8591-EB4729FD131E} - c:\documents and settings\holly\local settings\application data\{BC077293-0BC0-45CA-8591-EB4729FD131E}
FF - HiddenExtension: XUL Cache: {06B21EA1-8F31-4C05-BC25-FCD24A946ECC} - c:\documents and settings\larissa\local settings\application data\{06b21ea1-8f31-4c05-bc25-fcd24a946ecc}\

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-5-7 57344]

=============== Created Last 30 ================

2009-05-13 07:04 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-05-12 21:01 <DIR> --d----- c:\docume~1\michael\applic~1\Malwarebytes
2009-05-12 21:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-12 21:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-12 21:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-12 21:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-08 22:09 <DIR> a-dshr-- C:\cmdcons
2009-05-08 22:03 161,792 a------- c:\windows\SWREG.exe
2009-05-08 22:03 98,816 a------- c:\windows\sed.exe
2009-05-01 07:03 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-01 06:59 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-30 16:39 2 a------- C:\813889253
2009-04-16 21:26 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:26 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:26 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 21:26 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-16 21:26 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 21:26 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:26 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:26 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:26 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:26 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:24 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 21:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-13 11:06 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0

==================== Find3M ====================

2009-05-08 22:29 577,536 a------- c:\windows\system32\user32.dll
2009-05-08 22:29 577,536 a------- c:\windows\system32\dllcache\user32.dll
2009-03-21 09:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-07 10:44 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 18:27 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 16:44 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-19 04:50 18,432 -------- c:\windows\system32\dllcache\iedw.exe

============= FINISH: 8:05:09.98 ===============
 
1 - 20 of 24 Posts
Status
Not open for further replies.
Top