Sign In
Create Account
2
Logfile of HijackThis v1.99.1
Scan saved at 5:25:20 PM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Mike\Desktop\stinger1001546.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\HJT\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: iWebshot - {BD01C2B8-8826-4131-8D90-3E948F002E5A} - C:\Program Files\iWebshot\iwsieext.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Capture with iWebshot - res://C:\Program Files\iWebshot\iwsieext.dll/StartIWS.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {76C93E2E-C6D9-4938-A42C-A51384854E74} - C:\Program Files\iWebshot\iwsieext.dll
O9 - Extra 'Tools' menuitem: iWebshot - {76C93E2E-C6D9-4938-A42C-A51384854E74} - C:\Program Files\iWebshot\iwsieext.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O15 - Trusted Zone: http://www.trendsecure.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/im.../SYSSCANNER.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146790903687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179888048625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: shellservice - {8FB2D6CA-E258-48CF-9DAB-EEFB735E225C} - C:\WINDOWS\system32\config\atww\ShellService.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
-
This topic is locked
Back to top
#2
Posted 23 May 2009 - 03:22 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Hello and Welcome to Malwarebytes' Malware Removal forum.
Your HJT version is very outdated - please read this HJT topic, and download a new version:
http://www.malwareby...?showtopic=9573
Hi and Welcome to the Malwarebytes' forum.
Please download ATF Cleaner by Atribune
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Next, please perform a rootkit scan:
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as bingo.exe
Notes:
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your McAfee antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. Also, disable Ad-Aware. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
1. Double click on the renamed combofix.exe (bingo) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt, C:\Combofix.txt, and a fresh HJT log.
Your HJT version is very outdated - please read this HJT topic, and download a new version:
http://www.malwareby...?showtopic=9573
Hi and Welcome to the Malwarebytes' forum.
Please download ATF Cleaner by Atribune
- Close Internet Explorer and any other open browsers
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click
- No at the prompt.
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Next, please perform a rootkit scan:
- Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
- Leave your system completely idle while this longer scan is in progress.
- When the scan is done, save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as bingo.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that: - For Firefox
- Open Firefox and click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
- Open Firefox and click Tools -> Options -> Main
- For Internet Explorer:
- When downloading, choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- When downloading, choose to save, not open the file
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your McAfee antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. Also, disable Ad-Aware. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe (bingo) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt, C:\Combofix.txt, and a fresh HJT log.
#3
Posted 24 May 2009 - 12:21 AM
-
- Members
-
- 8 posts
New Member
Thanks for the reply. After browsing your site last night, I actually performed some of these steps. I've repeated them per your email. The attachment combofix1.txt was from last night. You'll see that a number of items were found and deleted. However, I'm still having some problems with anti-virus startup (no icons shows in the taskbar) and with iexplorer.exe processes running even when no browser window is open.
The attachment combofix1.txt was from last night. Combofix2.txt, ARK.txt and hijackthis.txt are from today based on your instructions.
Again, I appreciate your help.
The attachment combofix1.txt was from last night. Combofix2.txt, ARK.txt and hijackthis.txt are from today based on your instructions.
Again, I appreciate your help.
negster22, on May 23 2009, 08:22 AM, said:
Hello and Welcome to Malwarebytes' Malware Removal forum.
Your HJT version is very outdated - please read this HJT topic, and download a new version:
http://www.malwareby...?showtopic=9573
Hi and Welcome to the Malwarebytes' forum.
Please download ATF Cleaner by Atribune
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Next, please perform a rootkit scan:
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as bingo.exe
Notes:
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your McAfee antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. Also, disable Ad-Aware. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
1. Double click on the renamed combofix.exe (bingo) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt, C:\Combofix.txt, and a fresh HJT log.
Your HJT version is very outdated - please read this HJT topic, and download a new version:
http://www.malwareby...?showtopic=9573
Hi and Welcome to the Malwarebytes' forum.
Please download ATF Cleaner by Atribune
- Close Internet Explorer and any other open browsers
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click
- No at the prompt.
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Next, please perform a rootkit scan:
- Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
- Leave your system completely idle while this longer scan is in progress.
- When the scan is done, save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as bingo.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that: - For Firefox
- Open Firefox and click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
- Open Firefox and click Tools -> Options -> Main
- For Internet Explorer:
- When downloading, choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- When downloading, choose to save, not open the file
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your McAfee antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. Also, disable Ad-Aware. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe (bingo) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt, C:\Combofix.txt, and a fresh HJT log.
Attached Files
-
ComboFix1.txt 20.39K
10 downloads
-
ComboFix2.txt 20.42K
11 downloads
-
ARK.txt 118.91K
11 downloads
-
hijackthis.txt 9.8K
9 downloads
#4
Posted 24 May 2009 - 08:45 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Hello and you're welcome,
You're first Combofix (CF) log shows you ran it with McAfee enabled:
While your second CF run was done properly with McAfee disabled.
I know that an engaged McAfee guard and CF are not compatible. This may be what is causing your "anti-virus startup (no icons shows in the taskbar)".
It may be best if you uninstall and reinstall McAfee to see if that helps. Either that, or you can try installing another AV like Antivir, if you're not attached to McAfee.
I am not see anything anything left from the infection in your CF log, but I would like to know if you used this Webwatcher monitoring program, because there are a lot of remnants, particularly drivers related to that software.
http://www.awarenesstech.com/
Please let me know if you no longer use that program or never installed it to your knowledge.
I am not seeing any iexplore.exe processes in your running log. It would help if you could catch the malware in the act by running a scan for me when iexplore.exe is running in the background or better yet, when it launches.
To do that you need a program called Process Explorer.
Download, unzip and launch the Process Explorer program.
You can just keep Process Explorer running so you can quickly research things, without having to launch it. I always have it running on my system, so I can keep an eye on and investigate system activity.
You're first Combofix (CF) log shows you ran it with McAfee enabled:
Quote
ComboFix 09-05-22.05 - Mike 05/22/2009 20:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1682 [GMT -7:00]
Running from: c:\documents and settings\Mike\Desktop\mjoComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1682 [GMT -7:00]
Running from: c:\documents and settings\Mike\Desktop\mjoComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
While your second CF run was done properly with McAfee disabled.
Quote
ComboFix 09-05-23.04 - Mike 05/23/2009 16:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1500 [GMT -7:00]
Running from: c:\mjocombofix\bingo.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1500 [GMT -7:00]
Running from: c:\mjocombofix\bingo.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
I know that an engaged McAfee guard and CF are not compatible. This may be what is causing your "anti-virus startup (no icons shows in the taskbar)".
It may be best if you uninstall and reinstall McAfee to see if that helps. Either that, or you can try installing another AV like Antivir, if you're not attached to McAfee.
I am not see anything anything left from the infection in your CF log, but I would like to know if you used this Webwatcher monitoring program, because there are a lot of remnants, particularly drivers related to that software.
http://www.awarenesstech.com/
Please let me know if you no longer use that program or never installed it to your knowledge.
I am not seeing any iexplore.exe processes in your running log. It would help if you could catch the malware in the act by running a scan for me when iexplore.exe is running in the background or better yet, when it launches.
To do that you need a program called Process Explorer.
Download, unzip and launch the Process Explorer program.
- Configure it as follows:.
- On the Menu, Click Options and check "Verify Image signatures".
- Then on the Menu again, click View ==> Refresh Now, and the screen will update.
- On the toolbar, make sure the fifth icon from the right is a gear symbol (Lower Pane - DLL view). If it isn't - click it once (toggle it), so the gear icon is displayed
- On the Menu, Click Options and check "Verify Image signatures".
- In the upper pane Process tree listing, click the iexplore.exe and the lower pane will update to reflect signature data for all DLLs loaded by that svchost.exe instance.
- Click File => Save and save the log.
- Post the Process Explorer log in your next reply
You can just keep Process Explorer running so you can quickly research things, without having to launch it. I always have it running on my system, so I can keep an eye on and investigate system activity.
#5
Posted 25 May 2009 - 10:09 PM
-
- Members
-
- 8 posts
New Member
Thanks, negster22.
I got rid of McAfee and loaded Antivir. I have used webwatcher (kid was looking at porn), but it's no longer needed. I'd appreciate instructions on getting rid of remnants.
I haven't been able to catch IE running hidden. Attached are 2 logs from Process Explorer for IE that I launched myself. One is for a child process and the other is for its parent.
Thanks, again.
I got rid of McAfee and loaded Antivir. I have used webwatcher (kid was looking at porn), but it's no longer needed. I'd appreciate instructions on getting rid of remnants.
I haven't been able to catch IE running hidden. Attached are 2 logs from Process Explorer for IE that I launched myself. One is for a child process and the other is for its parent.
Thanks, again.
negster22, on May 24 2009, 01:45 PM, said:
Hello and you're welcome,
You're first Combofix (CF) log shows you ran it with McAfee enabled:
While your second CF run was done properly with McAfee disabled.
I know that an engaged McAfee guard and CF are not compatible. This may be what is causing your "anti-virus startup (no icons shows in the taskbar)".
It may be best if you uninstall and reinstall McAfee to see if that helps. Either that, or you can try installing another AV like Antivir, if you're not attached to McAfee.
I am not see anything anything left from the infection in your CF log, but I would like to know if you used this Webwatcher monitoring program, because there are a lot of remnants, particularly drivers related to that software.
http://www.awarenesstech.com/
Please let me know if you no longer use that program or never installed it to your knowledge.
I am not seeing any iexplore.exe processes in your running log. It would help if you could catch the malware in the act by running a scan for me when iexplore.exe is running in the background or better yet, when it launches.
To do that you need a program called Process Explorer.
Download, unzip and launch the Process Explorer program.
You can just keep Process Explorer running so you can quickly research things, without having to launch it. I always have it running on my system, so I can keep an eye on and investigate system activity.
You're first Combofix (CF) log shows you ran it with McAfee enabled:
While your second CF run was done properly with McAfee disabled.
I know that an engaged McAfee guard and CF are not compatible. This may be what is causing your "anti-virus startup (no icons shows in the taskbar)".
It may be best if you uninstall and reinstall McAfee to see if that helps. Either that, or you can try installing another AV like Antivir, if you're not attached to McAfee.
I am not see anything anything left from the infection in your CF log, but I would like to know if you used this Webwatcher monitoring program, because there are a lot of remnants, particularly drivers related to that software.
http://www.awarenesstech.com/
Please let me know if you no longer use that program or never installed it to your knowledge.
I am not seeing any iexplore.exe processes in your running log. It would help if you could catch the malware in the act by running a scan for me when iexplore.exe is running in the background or better yet, when it launches.
To do that you need a program called Process Explorer.
Download, unzip and launch the Process Explorer program.
- Configure it as follows:.
- On the Menu, Click Options and check "Verify Image signatures".
- Then on the Menu again, click View ==> Refresh Now, and the screen will update.
- On the toolbar, make sure the fifth icon from the right is a gear symbol (Lower Pane - DLL view). If it isn't - click it once (toggle it), so the gear icon is displayed
- On the Menu, Click Options and check "Verify Image signatures".
- In the upper pane Process tree listing, click the iexplore.exe and the lower pane will update to reflect signature data for all DLLs loaded by that svchost.exe instance.
- Click File => Save and save the log.
- Post the Process Explorer log in your next reply
You can just keep Process Explorer running so you can quickly research things, without having to launch it. I always have it running on my system, so I can keep an eye on and investigate system activity.
#6
Posted 25 May 2009 - 10:11 PM
-
- Members
-
- 8 posts
New Member
Sorry, here are the logs.
oconnell565, on May 25 2009, 03:09 PM, said:
Thanks, negster22.
I got rid of McAfee and loaded Antivir. I have used webwatcher (kid was looking at porn), but it's no longer needed. I'd appreciate instructions on getting rid of remnants.
I haven't been able to catch IE running hidden. Attached are 2 logs from Process Explorer for IE that I launched myself. One is for a child process and the other is for its parent.
Thanks, again.
I got rid of McAfee and loaded Antivir. I have used webwatcher (kid was looking at porn), but it's no longer needed. I'd appreciate instructions on getting rid of remnants.
I haven't been able to catch IE running hidden. Attached are 2 logs from Process Explorer for IE that I launched myself. One is for a child process and the other is for its parent.
Thanks, again.
Attached Files
-
iexplore_exe_parent.txt 10.54K
22 downloads
-
iexplore_exe_child.txt 12.9K
22 downloads
#7
Posted 26 May 2009 - 03:59 AM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
I'm not seeing anything unusual in the ProcessExplorer logs for the iexplore process loaded modules.
The child iexplore.exe has something called "counters" with no version info or company name but that is probably not anything of concern.
If you double-click the "counters" entry that is listed in the lower pane view, a Properties Windows opens.
You can then click the strings tab, and sometimes there is company information listed there, that gives a clue as to the source of the file.
I don't think you have anything malicious running or the iexplore.exe would be running constantly, or at least frequently enough to get a log.
I did see in your Process Explorer log, that the McAfee script scanner DLL is still loading:
http://www.greatis.c...criptcl.dll.htm
Scriptcl.dll is related to McAfee VSCore Script Scanner.
Manufacturer: McAfee, Inc.
You may want to run the McAfee removal tool;
http://service.mcafe...spx?id=TS100507
I will go over you Combofix log and locate the Webwatcher entries you want to remove.
I would like you to run a complete system scan with one of the following two scanners (DrWeb or ESET)- directions for both are included below. Expect some detections in Qoobox and system volume information (they will not be active malware so don't worry):
Please perform a scan with the ESET online virus scanner:
http://www.eset.com/...escan/index.php
Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
______________________________________________
As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. It also detects a lot of malware that other scanners miss and can repair damaged files that are essential for your computer.
1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.
2. Next, please reboot your computer in Safe Mode by doing the following:
4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".
5. Once the short scan has finished, Click Options --> Change settings
6. Choose the "Scan tab" and UNcheck "Heuristic analysis"
7. Back at the main window, click "Complete Scan"
8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.
9. When done, a message will be displayed at the bottom advising if any threats were found.
10. Click "Yes to all" if it asks if you want to cure/move the file.
11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.
13. Save the DrWeb.csv report to your desktop.
14. Exit Dr.Web Cureit when done.
15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.
16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad.
In your next reply, please include the following:
The child iexplore.exe has something called "counters" with no version info or company name but that is probably not anything of concern.
If you double-click the "counters" entry that is listed in the lower pane view, a Properties Windows opens.
You can then click the strings tab, and sometimes there is company information listed there, that gives a clue as to the source of the file.
I don't think you have anything malicious running or the iexplore.exe would be running constantly, or at least frequently enough to get a log.
I did see in your Process Explorer log, that the McAfee script scanner DLL is still loading:
http://www.greatis.c...criptcl.dll.htm
Scriptcl.dll is related to McAfee VSCore Script Scanner.
Manufacturer: McAfee, Inc.
You may want to run the McAfee removal tool;
http://service.mcafe...spx?id=TS100507
I will go over you Combofix log and locate the Webwatcher entries you want to remove.
I would like you to run a complete system scan with one of the following two scanners (DrWeb or ESET)- directions for both are included below. Expect some detections in Qoobox and system volume information (they will not be active malware so don't worry):
Please perform a scan with the ESET online virus scanner:
http://www.eset.com/...escan/index.php
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
- Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
- Check the "Yes, I accept the terms of use" box.
- Click "Start"
- Check the boxes the following two boxes:
- enable "Remove found threats"
- Scan unwanted applications
- enable "Remove found threats"
- Click the Scan button to begin scanning.
- When the scan is done the log is automatically saved. To retrieve it
- Close the ESET scan Window.
- Now open a run line by clicking Start >> Run...
- Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
- The Scan results will now display in Notepad
- Close the ESET scan Window.
- Please copy and paste the ESET scan report that can be found in this location
C:\Program Files\EsetOnlineScanner\log.txt into your next reply
Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
______________________________________________
As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. It also detects a lot of malware that other scanners miss and can repair damaged files that are essential for your computer.
1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.
2. Next, please reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, an Advanced Options Menu should appear
- Select the first option, to run Windows in Safe Mode.
4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".
5. Once the short scan has finished, Click Options --> Change settings
6. Choose the "Scan tab" and UNcheck "Heuristic analysis"
7. Back at the main window, click "Complete Scan"
8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.
9. When done, a message will be displayed at the bottom advising if any threats were found.
10. Click "Yes to all" if it asks if you want to cure/move the file.
11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.
13. Save the DrWeb.csv report to your desktop.
14. Exit Dr.Web Cureit when done.
15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.
16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad.
In your next reply, please include the following:
- Dr.Web Log or ESET log
- A new HJT log
#8
Posted 26 May 2009 - 09:07 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
PLEASE READ MY ABOVE REPLY FIRST!!
I found a program that can monitor and log a process's activity in real time without having to trigger it at a key moment.
You just need to set filters the way I've outlined below, to hone in on the iexplore.exe process.
Please download Process Monitor:
http://technet.microsoft.com/en-us/sysinte...s/bb896645.aspx
Choose this option:
"Run Process Monitor now from Live.Sysinternals.com"
Save it and double-click on ProcMon.exe to launch Process Monitor.
On the menu bar, Click Filter -> Filter...
In the first drop down menu - where first entry is "architecture", select to filter on "Process"
You may want to correlate events in the log with your firewall activity, as well. If iexplore.exe is not your default browser, then you can set your firewall to prompt on iexplore.exe network requests, so you can be alerted.
I found a program that can monitor and log a process's activity in real time without having to trigger it at a key moment.
You just need to set filters the way I've outlined below, to hone in on the iexplore.exe process.
Please download Process Monitor:
http://technet.microsoft.com/en-us/sysinte...s/bb896645.aspx
Choose this option:
"Run Process Monitor now from Live.Sysinternals.com"
Save it and double-click on ProcMon.exe to launch Process Monitor.
On the menu bar, Click Filter -> Filter...
In the first drop down menu - where first entry is "architecture", select to filter on "Process"
- In the second drop down menu, under Conditions, select "is"
- In the third drop down menu, select the process "iexplore.exe"
- Click the Add button
- Click "Apply", to apply the filter
- In the second drop down menu, under Conditions, select "is"
- In the third drop down menu, select the operation "Process start", and click Add
- Click "Apply", to apply the filter.
- In the third drop down menu, select the operation "Process create", and click Add
- Click "Apply", to apply the filter.
- In the third drop down menu, select the operation "Process exit", and click Add
- Click "Apply", to apply the filter.
- Click OK
- Click "Apply", to apply the filter.
You may want to correlate events in the log with your firewall activity, as well. If iexplore.exe is not your default browser, then you can set your firewall to prompt on iexplore.exe network requests, so you can be alerted.
#9
Posted 27 May 2009 - 12:49 AM
-
- Members
-
- 8 posts
New Member
I followed your instructions. Here is the log from running ESET:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=78e615b816967c4fb659de4401740821
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-27 12:34:24
# local_time=2009-05-26 05:34:24 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 31297031250
# scanned=156091
# found=1
# cleaned=1
# scan_time=2222
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACubhkopfxdcvabfv.dll.vir a variant of Win32/Kryptik.PS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
Here is the most recent HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:25 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Mike\Desktop\HJT\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: iWebshot - {BD01C2B8-8826-4131-8D90-3E948F002E5A} - C:\Program Files\iWebshot\iwsieext.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Capture with iWebshot - res://C:\Program Files\iWebshot\iwsieext.dll/StartIWS.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {76C93E2E-C6D9-4938-A42C-A51384854E74} - C:\Program Files\iWebshot\iwsieext.dll
O9 - Extra 'Tools' menuitem: iWebshot - {76C93E2E-C6D9-4938-A42C-A51384854E74} - C:\Program Files\iWebshot\iwsieext.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.trendsecure.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/im.../SYSSCANNER.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146790903687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179888048625
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
--
End of file - 10647 bytes
I download Process Monitor. So far, no indication of "rogue" IE instances.
------------------------------------------------------------------------------------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=78e615b816967c4fb659de4401740821
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-27 12:34:24
# local_time=2009-05-26 05:34:24 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 31297031250
# scanned=156091
# found=1
# cleaned=1
# scan_time=2222
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACubhkopfxdcvabfv.dll.vir a variant of Win32/Kryptik.PS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
Here is the most recent HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:25 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Mike\Desktop\HJT\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: iWebshot - {BD01C2B8-8826-4131-8D90-3E948F002E5A} - C:\Program Files\iWebshot\iwsieext.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Capture with iWebshot - res://C:\Program Files\iWebshot\iwsieext.dll/StartIWS.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {76C93E2E-C6D9-4938-A42C-A51384854E74} - C:\Program Files\iWebshot\iwsieext.dll
O9 - Extra 'Tools' menuitem: iWebshot - {76C93E2E-C6D9-4938-A42C-A51384854E74} - C:\Program Files\iWebshot\iwsieext.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.trendsecure.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/im.../SYSSCANNER.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146790903687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179888048625
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
--
End of file - 10647 bytes
I download Process Monitor. So far, no indication of "rogue" IE instances.
------------------------------------------------------------------------------------------------
negster22, on May 26 2009, 02:07 PM, said:
PLEASE READ MY ABOVE REPLY FIRST!!
I found a program that can monitor and log a process's activity in real time without having to trigger it at a key moment.
You just need to set filters the way I've outlined below, to hone in on the iexplore.exe process.
Please download Process Monitor:
http://technet.microsoft.com/en-us/sysinte...s/bb896645.aspx
Choose this option:
"Run Process Monitor now from Live.Sysinternals.com"
Save it and double-click on ProcMon.exe to launch Process Monitor.
On the menu bar, Click Filter -> Filter...
In the first drop down menu - where first entry is "architecture", select to filter on "Process"
You may want to correlate events in the log with your firewall activity, as well. If iexplore.exe is not your default browser, then you can set your firewall to prompt on iexplore.exe network requests, so you can be alerted.
I found a program that can monitor and log a process's activity in real time without having to trigger it at a key moment.
You just need to set filters the way I've outlined below, to hone in on the iexplore.exe process.
Please download Process Monitor:
http://technet.microsoft.com/en-us/sysinte...s/bb896645.aspx
Choose this option:
"Run Process Monitor now from Live.Sysinternals.com"
Save it and double-click on ProcMon.exe to launch Process Monitor.
On the menu bar, Click Filter -> Filter...
In the first drop down menu - where first entry is "architecture", select to filter on "Process"
- In the second drop down menu, under Conditions, select "is"
- In the third drop down menu, select the process "iexplore.exe"
- Click the Add button
- Click "Apply", to apply the filter
- In the second drop down menu, under Conditions, select "is"
- In the third drop down menu, select the operation "Process start", and click Add
- Click "Apply", to apply the filter.
- In the third drop down menu, select the operation "Process create", and click Add
- Click "Apply", to apply the filter.
- In the third drop down menu, select the operation "Process exit", and click Add
- Click "Apply", to apply the filter.
- Click OK
- Click "Apply", to apply the filter.
You may want to correlate events in the log with your firewall activity, as well. If iexplore.exe is not your default browser, then you can set your firewall to prompt on iexplore.exe network requests, so you can be alerted.
#10
Posted 27 May 2009 - 01:17 AM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Hello!
ESET looks fine - it just detected one item safely locked away in the Combofix quarantine store.
Go to Start -> Control Panel-> Add/Remove programs and uninstall the following
program:
Bonjour
Exit the Control Panel
Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
Close HJT and reboot.
Delete these folders:
C:\Program Files\Bonjour\
C:\Program Files\Viewpoint\
We have a few more steps to finish up now.
Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.
"%userprofile%\desktop\\mjoComboFix.exe" /u
This will do the following:
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.
1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)
Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.
Note: If your firewall prompts you about access, allow it.
2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.
3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.
4. Download and install SpywareBlaster:
http://www.javacools...areblaster.html
Update it and the enable protection for all unprotected items.
You will have to update the free version manually about once a month by clicking the UPdates button.
Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.
Happy Surfing!
Feel free to post back if anything suspect is recorded by Process Monitor!
ESET looks fine - it just detected one item safely locked away in the Combofix quarantine store.
Go to Start -> Control Panel-> Add/Remove programs and uninstall the following
program:
Bonjour
Exit the Control Panel
Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
Close HJT and reboot.
Delete these folders:
C:\Program Files\Bonjour\
C:\Program Files\Viewpoint\
We have a few more steps to finish up now.
Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.
"%userprofile%\desktop\\mjoComboFix.exe" /u
This will do the following:
- Uninstall Combofix and all its associated files and folders.
- It will flush your system restore points and create a new restore point.
- It will rehide your system files and folders
- Reset your system clock
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.
1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)
Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.
Note: If your firewall prompts you about access, allow it.
2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.
3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.
4. Download and install SpywareBlaster:
http://www.javacools...areblaster.html
Update it and the enable protection for all unprotected items.
You will have to update the free version manually about once a month by clicking the UPdates button.
Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.
Happy Surfing!
Feel free to post back if anything suspect is recorded by Process Monitor!
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
