8 steps and still have slow as molasses computer

[vtbutterfly2]

I had the vundo trojan and so I went through the steps (some a few times!) and while my computer is now actually moving, it is still super slow. Logs below! I really hope I did these right and if i didn't I don't mind redoing any log! Thanks in advance!


ok I can't even attach anything...

under additional options it has an attach files but I can't click on anything just says vaild file extensions (lists them all)...

 

[mflynn]

If you went thu the 8 Steps then where are the logs that were supposed to be attached?

Open MBAM and click Logs. Attach all logs back here.

Open SAS click Preferences-Statistics/logs and attach them back also!

What you had is very important insight on how to continue.

Mike

 

[vtbutterfly2]

mbab logs

sorry it won't let me attach!

Malwarebytes' Anti-Malware 1.34
Database version: 1769
Windows 5.1.2600 Service Pack 1

2/17/2009 12:11:07 PM
mbam-log-2009-02-17 (12-11-06).txt

Scan type: Quick Scan
Objects scanned: 89020
Time elapsed: 41 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[vtbutterfly2]

SUPERAntiSpyware Scan Log


Generated 02/17/2009 at 04:14 PM

Application Version : 4.25.1012

Core Rules Database Version : 3762
Trace Rules Database Version: 1723

Scan type : Quick Scan
Total Scan Time : 00:01:22

Memory items scanned : 244
Memory threats detected : 0
Registry items scanned : 444
Registry threats detected : 0
File items scanned : 0
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Carly\Cookies\carly@questionmarket[2].txt
C:\Documents and Settings\Carly\Cookies\carly@atdmt[2].txt
C:\Documents and Settings\Carly\Cookies\carly@ad.yieldmanager[2].txt
C:\Documents and Settings\Carly\Cookies\carly@doubleclick[1].txt

 

[vtbutterfly2]

Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:51 PM, on 2/17/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Lotus\Notes\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe

 

[vtbutterfly2]

below is the rest sorry to have to do this!!

 

[vtbutterfly2]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.technology-catalysts.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {EB4774ED-9455-4E72-B70D-AB260E429773} - C:\WINDOWS\system32\qoMeCtuR.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: GenealogyBrowser.Cab - http://209.90.101.200/cabs/zinst.cab
O16 - DPF: {3743E8B0-BE34-4652-9F11-7C4EB22F39B9} (HtmlCtl2 Class) - http://online6.edqm.eu/demoversion/NetisUtils/install/safeview.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = technology-catalysts.com
O17 - HKLM\Software\..\Telephony: DomainName = technology-catalysts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = technology-catalysts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = technology-catalysts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
O20 - AppInit_DLLs: tazjst.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Lotus\Notes\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O24 - Desktop Component 0: My Current Home Page - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/16/clip_image002.gif

--
End of file - 10757 bytes

 

[vtbutterfly2]

ohhh here is the FULL scan i did with SAS

UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/17/2009 at 12:41 PM

Application Version : 4.25.1012

Core Rules Database Version : 3762
Trace Rules Database Version: 1723

Scan type : Full Scan
Total Scan Time : 00:45:58

Memory items scanned : 608
Memory threats detected : 0
Registry items scanned : 431
Registry threats detected : 12
File items scanned : 7870
File threats detected : 98

Trojan.Dropper/Gen-123
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SysTray
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\LOWEKURIP.DLL

Rogue.Component/Trace
HKLM\Software\Microsoft\6440E3DB
HKLM\Software\Microsoft\6440E3DB#6440e3db
HKLM\Software\Microsoft\6440E3DB#Version
HKLM\Software\Microsoft\6440E3DB#64404e5b
HKLM\Software\Microsoft\6440E3DB#644027be
HKU\S-1-5-21-1715567821-1450960922-682003330-1189\Software\Microsoft\CS41275
HKU\S-1-5-21-1715567821-1450960922-682003330-1189\Software\Microsoft\FIAS4018

Adware.Tracking Cookie
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@a.findarticles[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@e-2dj6wjlyciajgko.stats.esomniture[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@hitbox[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@atdmt[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@dynamic.media.adrevolver[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@advertising[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.bridgetrack[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-airtran.hitbox[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@dealtime[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adserver7.teracent[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@questionmarket[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@burstnet[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.yieldmanager[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@valueclick[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@valueclick[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@2o7[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@laptopmag.122.2o7[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@tribalfusion[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adtech[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@casalemedia[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.mlclick[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@xiti[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@zedo[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@112.2o7[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@serving-sys[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.addynamix[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@iacas.adbureau[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@insightexpressai[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@anad.tacoda[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@anat.tacoda[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@affiliates.ticketsnow[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.burstbeacon[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.interclick[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@linksynergy[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.flux[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@tacoda[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@warnerbros.112.2o7[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ticketsnow[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@overture[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@revsci[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@roiservice[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adbrite[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@realmedia[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.pointroll[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.xplusone[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@media.adrevolver[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@as-us.falkag[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@fastclick[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@nextag[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@edge.ru4[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@collective-media[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@bluestreak[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@stats.sphere[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@statse.webtrendslive[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@findarticles[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ordie.adbureau[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@interclick[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@mediaplex[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-hollywood.hitbox[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@indextools[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-lls.hitbox[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@e-2dj6wjnyundjmdp.stats.esomniture[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@highbeam.122.2o7[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@knowmoremedia.us.intellitxt[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@drivecleaner[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@atwola[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@apmebf[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@te.kontera[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.expedia[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@stat.dealtime[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adopt.euroclick[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.ticketsnow[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-theviptour.hitbox[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.burstnet[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@statcounter[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@accounts[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@specificclick[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adinterax[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ecnext.advertserve[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@webtrendslive.bbandt[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@bs.serving-sys[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.drivecleaner[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@richmedia.yahoo[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@qnsr[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adlegend[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adrevolver[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adrevolver[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@247realmedia[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ticketsnow.112.2o7[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adopt.specificclick[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@paypal.112.2o7[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.ticketsnow2[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@perf.overture[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@kontera[1].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@account[2].txt
C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@doubleclick[1].txt

 

[mflynn]

Ok every time we fix something try the attaching again.

Run HJT Select and Fix the below
O2 - BHO: (no name) - {EB4774ED-9455-4E72-B70D-AB260E429773} - C:\WINDOWS\system32\qoMeCtuR.dll (file missing)
O20 - AppInit_DLLs: tazjst.dll

Surprisingly MBAM was clean but SAS was loaded.

Another run indicated!
OK there were found/removed items in SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE run again.

Try the Attachment.

Only after the above is run and log posted do the below.

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[vtbutterfly2]

Hijack log update:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:14 AM, on 2/18/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Lotus\Notes\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\msiexec.exe
C:\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.technology-catalysts.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: GenealogyBrowser.Cab - http://209.90.101.200/cabs/zinst.cab
O16 - DPF: {3743E8B0-BE34-4652-9F11-7C4EB22F39B9} (HtmlCtl2 Class) - http://online6.edqm.eu/demoversion/NetisUtils/install/safeview.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = technology-catalysts.com
O17 - HKLM\Software\..\Telephony: DomainName = technology-catalysts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = technology-catalysts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = technology-catalysts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Lotus\Notes\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

 

[vtbutterfly2]

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O24 - Desktop Component 0: My Current Home Page - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/16/clip_image002.gif

 

[vtbutterfly2]

New MBAM

Malwarebytes' Anti-Malware 1.34
Database version: 1769
Windows 5.1.2600 Service Pack 1

2/18/2009 8:06:50 AM
mbam-log-2009-02-18 (08-06-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 132592
Time elapsed: 1 hour(s), 41 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000239.dll (Trojan.Vundo) -> Quarantined and deleted successfully

 

[vtbutterfly2]

New SAS

UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/17/2009 at 06:47 PM

Application Version : 4.25.1012

Core Rules Database Version : 3762
Trace Rules Database Version: 1723

Scan type : Complete Scan
Total Scan Time : 01:47:01

Memory items scanned : 477
Memory threats detected : 0
Registry items scanned : 4825
Registry threats detected : 0
File items scanned : 19682
File threats detected : 38

Adware.Tracking Cookie
C:\Documents and Settings\Carly\Cookies\carly@realmedia[1].txt
C:\Documents and Settings\Carly\Cookies\carly@adopt.euroclick[1].txt
C:\Documents and Settings\Carly\Cookies\carly@fastclick[2].txt
C:\Documents and Settings\Carly\Cookies\carly@questionmarket[1].txt
C:\Documents and Settings\Carly\Cookies\carly@atdmt[1].txt
C:\Documents and Settings\Carly\Cookies\carly@revsci[1].txt
C:\Documents and Settings\Carly\Cookies\carly@specificclick[2].txt
C:\Documents and Settings\Carly\Cookies\carly@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Carly\Cookies\carly@adtech[1].txt
C:\Documents and Settings\Carly\Cookies\carly@tribalfusion[1].txt
C:\Documents and Settings\Carly\Cookies\carly@ad.yieldmanager[2].txt
C:\Documents and Settings\Carly\Cookies\carly@zedo[2].txt
C:\Documents and Settings\Carly\Cookies\carly@burstnet[2].txt
C:\Documents and Settings\Carly\Cookies\carly@doubleclick[1].txt
C:\Documents and Settings\Carly\Cookies\carly@accounts[1].txt

Adware.Vundo/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000239.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\D4O7HDG9\player[1].swf
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\U5JGTCVQ\full-player-trans[1].png
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WT2B8DMN\a35c5d0808406[2].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WF7720XH\5ef383b4ce475[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WD6N0T6V\f5e9bdc98de8cd9ed50dc64acb3673ce-vega4[1].json
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\U5JGTCVQ\f4b113bf12d7c[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\D4O7HDG9\80b6864f472de[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\player[1].swf
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WT2B8DMN\518ad8bd8d406ab8fe32c7794b57afcd-vega4[1].json
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\NNYS6R25\f4b113bf12d7c[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\2R4XW7Y9\2630fb5fc3d1fc2e9680a9f15dc0269e-vega4[1].json
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WD6N0T6V\11e8faac43870c561fb949595002612c-vega4[1].json
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SRE7EXUN\2a6d1e97ac95d[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\abfdd127ddd2d[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SZ6FUO4I\player[1].swf
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\80b6864f472de[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SZ6FUO4I\player[2].swf
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\NNYS6R25\3e508420e1d0e[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\e64c2f269be48[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SRE7EXUN\c33121e186d80[1].jpg
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTE3S52Z\cbbdf27105815101bd23e42771a18549-vega4[1].json
C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTE3S52Z\3e508420e1d0e[1].jpg

 

[mflynn]

OK Try attaching if possible!

Do the below get me the logs!

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[vtbutterfly2]

here is the SD report (Still can't attach anything..does my web browser have anything to do with it?)

SDFix: Version 1.240
Run by Carly on Wed 02/18/2009 at 08:40 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\IPHHCHC.EXE - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP1.tmp - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP3.tmp - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP34.tmp - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP4.tmp - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP5.tmp - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP6.tmp - Deleted
C:\DOCUME~1\Carly\LOCALS~1\Temp\TMPC.tmp - Deleted

 

[vtbutterfly2]

Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 08:55:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*isabled:iTunes"
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:EnabledcAnywhere Main Program"
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:EnabledcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:EnabledcAnywhere Remote Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:EnabledcAnywhere Main Program"

 

[vtbutterfly2]

"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:EnabledcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:EnabledcAnywhere Remote Service"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Kodak\\Kodak EasyShare
software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*isabled:AOL Instant Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iWin Games\\iWinGames.exe"="C:\\Program Files\\iWin Games\\iWinGames.exe:*:Enabled:iWin Games application."
"C:\\Program Files\\iWin Games\\WebUpdater.exe"="C:\\Program Files\\iWin Games\\WebUpdater.exe:*:Enabled:iWin Games updater."

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 15 Oct 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Mon 14 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 20 Nov 2007 10 A..H. --- "C:\Documents and Settings\All Users\Application Data\iWin Games\drm\Service_1734614758927788743.dll"
Mon 14 Feb 2005 4,348 ...H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1key.bak"
Fri 8 Aug 2008 20 A..H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 29 Jul 2008 9,856 A.SH. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

 

[mflynn]

I don't know at this time why you can not attach but try a different Browser, other than that we will address it when you are clean if still there as it could be the Malware.

OK do the below...

Run ComboFix get me the log.

Then, only then do the below.

UPDATE then run SAS again get me that log
Run SDFix again get me that log

These reruns are required because they found and removed Malware and may find more on these new runs we need to run them till clean.

Mike

 

[vtbutterfly2]

Combo Fix log and hijack log after SD and Combo fix ATTACHED ( I can attach I can attach!)

 

[mflynn]

Well then it was the Malware and we cleaned the one that was causing the problem!

Now once you do the reruns from my last post.

Run ComboFix again as it found and removed issues we need to see it clean.

Mike

 

[vtbutterfly2]

it wont let me attach again! BAH!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2009 at 09:41 AM

Application Version : 4.25.1012

Core Rules Database Version : 3764
Trace Rules Database Version: 1725

Scan type : Quick Scan
Total Scan Time : 00:12:32

Memory items scanned : 515
Memory threats detected : 0
Registry items scanned : 416
Registry threats detected : 0
File items scanned : 7874
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Carly\Cookies\carly@questionmarket[2].txt
C:\Documents and Settings\Carly\Cookies\carly@atdmt[2].txt
C:\Documents and Settings\Carly\Cookies\carly@doubleclick[2].txt

 

[mflynn]

OK now the new combofix log.

Mike

 

[vtbutterfly2]

SD log requested...


SDFix: Version 1.240
Run by Carly on 2009-02-18 at 09:55

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 10:30:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:EnabledcAnywhere Main Program"
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:EnabledcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:EnabledcAnywhere Remote Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:EnabledcAnywhere Main Program"
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:EnabledcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:EnabledcAnywhere Remote Service"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*isabled:AOL Instant Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iWin Games\\iWinGames.exe"="C:\\Program Files\\iWin Games\\iWinGames.exe:*:Enabled:iWin Games application."
"C:\\Program Files\\iWin Games\\WebUpdater.exe"="C:\\Program Files\\iWin Games\\WebUpdater.exe:*:Enabled:iWin Games updater."

Remaining Files :



Files with Hidden Attributes :

Mon 15 Oct 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Mon 14 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 20 Nov 2007 10 A..H. --- "C:\Documents and Settings\All Users\Application Data\iWin Games\drm\Service_1734614758927788743.dll"
Mon 14 Feb 2005 4,348 ...H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1key.bak"
Fri 8 Aug 2008 20 A..H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 29 Jul 2008 9,856 A.SH. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

 

[mflynn]

OK now the new Combofix log!

Mike

 

[vtbutterfly2]

New Combo....

note on both i couldnt install the recovery console...