8 steps and still have slow as molasses computer

By vtbutterfly2
Feb 17, 2009
Topic Status:
Not open for further replies.
  1. I had the vundo trojan and so I went through the steps (some a few times!) and while my computer is now actually moving, it is still super slow. Logs below! I really hope I did these right and if i didn't I don't mind redoing any log! Thanks in advance!


    ok I can't even attach anything...

    under additional options it has an attach files but I can't click on anything just says vaild file extensions (lists them all)...
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    If you went thu the 8 Steps then where are the logs that were supposed to be attached?

    Open MBAM and click Logs. Attach all logs back here.

    Open SAS click Preferences-Statistics/logs and attach them back also!

    What you had is very important insight on how to continue.

    Mike
  3. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    mbab logs

    sorry it won't let me attach!

    Malwarebytes' Anti-Malware 1.34
    Database version: 1769
    Windows 5.1.2600 Service Pack 1

    2/17/2009 12:11:07 PM
    mbam-log-2009-02-17 (12-11-06).txt

    Scan type: Quick Scan
    Objects scanned: 89020
    Time elapsed: 41 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  4. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    SUPERAntiSpyware Scan Log


    Generated 02/17/2009 at 04:14 PM

    Application Version : 4.25.1012

    Core Rules Database Version : 3762
    Trace Rules Database Version: 1723

    Scan type : Quick Scan
    Total Scan Time : 00:01:22

    Memory items scanned : 244
    Memory threats detected : 0
    Registry items scanned : 444
    Registry threats detected : 0
    File items scanned : 0
    File threats detected : 4

    Adware.Tracking Cookie
    C:\Documents and Settings\Carly\Cookies\carly@questionmarket[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@atdmt[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@ad.yieldmanager[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@doubleclick[1].txt
  5. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    Hijack log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:22:51 PM, on 2/17/2009
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Lotus\Notes\nslsvice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    C:\Lotus\Notes\ntmulti.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atiptaxx.exe
    C:\WINDOWS\System32\desk98.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
  6. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    below is the rest sorry to have to do this!!
  7. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.technology-catalysts.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: (no name) - {EB4774ED-9455-4E72-B70D-AB260E429773} - C:\WINDOWS\system32\qoMeCtuR.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: GenealogyBrowser.Cab - http://209.90.101.200/cabs/zinst.cab
    O16 - DPF: {3743E8B0-BE34-4652-9F11-7C4EB22F39B9} (HtmlCtl2 Class) - http://online6.edqm.eu/demoversion/NetisUtils/install/safeview.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = technology-catalysts.com
    O17 - HKLM\Software\..\Telephony: DomainName = technology-catalysts.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = technology-catalysts.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = technology-catalysts.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
    O20 - AppInit_DLLs: tazjst.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Lotus\Notes\nslsvice.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
    O24 - Desktop Component 0: My Current Home Page - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
    O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/16/clip_image002.gif

    --
    End of file - 10757 bytes
  8. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    ohhh here is the FULL scan i did with SAS

    UPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/17/2009 at 12:41 PM

    Application Version : 4.25.1012

    Core Rules Database Version : 3762
    Trace Rules Database Version: 1723

    Scan type : Full Scan
    Total Scan Time : 00:45:58

    Memory items scanned : 608
    Memory threats detected : 0
    Registry items scanned : 431
    Registry threats detected : 12
    File items scanned : 7870
    File threats detected : 98

    Trojan.Dropper/Gen-123
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SysTray
    HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}
    HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}
    HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32
    HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\LOWEKURIP.DLL

    Rogue.Component/Trace
    HKLM\Software\Microsoft\6440E3DB
    HKLM\Software\Microsoft\6440E3DB#6440e3db
    HKLM\Software\Microsoft\6440E3DB#Version
    HKLM\Software\Microsoft\6440E3DB#64404e5b
    HKLM\Software\Microsoft\6440E3DB#644027be
    HKU\S-1-5-21-1715567821-1450960922-682003330-1189\Software\Microsoft\CS41275
    HKU\S-1-5-21-1715567821-1450960922-682003330-1189\Software\Microsoft\FIAS4018

    Adware.Tracking Cookie
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@a.findarticles[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@e-2dj6wjlyciajgko.stats.esomniture[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@hitbox[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@atdmt[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@dynamic.media.adrevolver[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@advertising[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.bridgetrack[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-airtran.hitbox[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@dealtime[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adserver7.teracent[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@questionmarket[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@burstnet[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.yieldmanager[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@valueclick[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@valueclick[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@2o7[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@laptopmag.122.2o7[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@tribalfusion[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adtech[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@casalemedia[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.mlclick[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@xiti[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@zedo[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@112.2o7[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@serving-sys[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.addynamix[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@iacas.adbureau[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@insightexpressai[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@anad.tacoda[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@anat.tacoda[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@affiliates.ticketsnow[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.burstbeacon[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.interclick[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@linksynergy[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.flux[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@tacoda[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@warnerbros.112.2o7[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ticketsnow[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@overture[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@revsci[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@roiservice[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adbrite[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@realmedia[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.pointroll[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ad.xplusone[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@media.adrevolver[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@as-us.falkag[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@fastclick[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@nextag[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@edge.ru4[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@collective-media[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@bluestreak[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@stats.sphere[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@statse.webtrendslive[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@findarticles[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ordie.adbureau[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@interclick[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@mediaplex[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-hollywood.hitbox[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-dig.hitbox[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@indextools[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-lls.hitbox[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@e-2dj6wjnyundjmdp.stats.esomniture[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@highbeam.122.2o7[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@knowmoremedia.us.intellitxt[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@drivecleaner[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@atwola[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@apmebf[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@te.kontera[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ads.expedia[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@stat.dealtime[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adopt.euroclick[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.ticketsnow[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ehg-theviptour.hitbox[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.burstnet[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@statcounter[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@accounts[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@specificclick[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adinterax[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ecnext.advertserve[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@webtrendslive.bbandt[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@bs.serving-sys[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.drivecleaner[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@richmedia.yahoo[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@qnsr[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adlegend[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adrevolver[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adrevolver[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@247realmedia[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@ticketsnow.112.2o7[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@adopt.specificclick[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@paypal.112.2o7[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@www.ticketsnow2[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@perf.overture[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@kontera[1].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@account[2].txt
    C:\Documents and Settings\Carly\Local Settings\Temp\Cookies\carly@doubleclick[1].txt
  9. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Ok every time we fix something try the attaching again.

    Run HJT Select and Fix the below
    O2 - BHO: (no name) - {EB4774ED-9455-4E72-B70D-AB260E429773} - C:\WINDOWS\system32\qoMeCtuR.dll (file missing)
    O20 - AppInit_DLLs: tazjst.dll

    Surprisingly MBAM was clean but SAS was loaded.

    Another run indicated!
    OK there were found/removed items in SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan will likely find more. So UPDATE run again.

    Try the Attachment.

    Only after the above is run and log posted do the below.

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
  10. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    Hijack log update:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:20:14 AM, on 2/18/2009
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Lotus\Notes\nslsvice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Lotus\Notes\ntmulti.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\WINDOWS\System32\desk98.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Lotus\Notes\NLNOTES.EXE
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Lotus\Notes\ntaskldr.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.technology-catalysts.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: GenealogyBrowser.Cab - http://209.90.101.200/cabs/zinst.cab
    O16 - DPF: {3743E8B0-BE34-4652-9F11-7C4EB22F39B9} (HtmlCtl2 Class) - http://online6.edqm.eu/demoversion/NetisUtils/install/safeview.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = technology-catalysts.com
    O17 - HKLM\Software\..\Telephony: DomainName = technology-catalysts.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = technology-catalysts.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = technology-catalysts.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3A6DA7BD-CA27-4481-9072-2BC7E3856F28}: NameServer = 10.10.10.48
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Lotus\Notes\nslsvice.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
  11. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
    O24 - Desktop Component 0: My Current Home Page - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
    O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Carly/LOCALS~1/Temp/msohtml1/16/clip_image002.gif
  12. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    New MBAM

    Malwarebytes' Anti-Malware 1.34
    Database version: 1769
    Windows 5.1.2600 Service Pack 1

    2/18/2009 8:06:50 AM
    mbam-log-2009-02-18 (08-06-50).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 132592
    Time elapsed: 1 hour(s), 41 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000239.dll (Trojan.Vundo) -> Quarantined and deleted successfully
  13. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    New SAS

    UPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/17/2009 at 06:47 PM

    Application Version : 4.25.1012

    Core Rules Database Version : 3762
    Trace Rules Database Version: 1723

    Scan type : Complete Scan
    Total Scan Time : 01:47:01

    Memory items scanned : 477
    Memory threats detected : 0
    Registry items scanned : 4825
    Registry threats detected : 0
    File items scanned : 19682
    File threats detected : 38

    Adware.Tracking Cookie
    C:\Documents and Settings\Carly\Cookies\carly@realmedia[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@adopt.euroclick[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@fastclick[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@questionmarket[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@atdmt[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@revsci[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@specificclick[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@microsoftwindows.112.2o7[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@adtech[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@tribalfusion[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@ad.yieldmanager[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@zedo[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@burstnet[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@doubleclick[1].txt
    C:\Documents and Settings\Carly\Cookies\carly@accounts[1].txt

    Adware.Vundo/Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000239.DLL

    Trace.Known Threat Sources
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\D4O7HDG9\player[1].swf
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\U5JGTCVQ\full-player-trans[1].png
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WT2B8DMN\a35c5d0808406[2].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WF7720XH\5ef383b4ce475[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WD6N0T6V\f5e9bdc98de8cd9ed50dc64acb3673ce-vega4[1].json
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\U5JGTCVQ\f4b113bf12d7c[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\D4O7HDG9\80b6864f472de[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\player[1].swf
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WT2B8DMN\518ad8bd8d406ab8fe32c7794b57afcd-vega4[1].json
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\NNYS6R25\f4b113bf12d7c[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\2R4XW7Y9\2630fb5fc3d1fc2e9680a9f15dc0269e-vega4[1].json
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\WD6N0T6V\11e8faac43870c561fb949595002612c-vega4[1].json
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SRE7EXUN\2a6d1e97ac95d[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\abfdd127ddd2d[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SZ6FUO4I\player[1].swf
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\80b6864f472de[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SZ6FUO4I\player[2].swf
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\NNYS6R25\3e508420e1d0e[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\TDKIFM7A\e64c2f269be48[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\SRE7EXUN\c33121e186d80[1].jpg
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTE3S52Z\cbbdf27105815101bd23e42771a18549-vega4[1].json
    C:\Documents and Settings\Carly\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTE3S52Z\3e508420e1d0e[1].jpg
     
  14. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK Try attaching if possible!

    Do the below get me the logs!

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
  15. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    here is the SD report (Still can't attach anything..does my web browser have anything to do with it?)

    SDFix: Version 1.240
    Run by Carly on Wed 02/18/2009 at 08:40 AM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\IPHHCHC.EXE - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP1.tmp - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP2.tmp - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP3.tmp - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP34.tmp - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP4.tmp - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP5.tmp - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMP6.tmp - Deleted
    C:\DOCUME~1\Carly\LOCALS~1\Temp\TMPC.tmp - Deleted
  16. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-02-18 08:55:55
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
    "C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:Enabled:pcAnywhere Main Program"
    "C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:Enabled:pcAnywhere Host Service"
    "C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Enabled:pcAnywhere Remote Service"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:Enabled:pcAnywhere Main Program"
  17. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    "C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:Enabled:pcAnywhere Host Service"
    "C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Enabled:pcAnywhere Remote Service"
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
    "C:\\Program Files\\Kodak\\Kodak EasyShare
    software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
    "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\iWin Games\\iWinGames.exe"="C:\\Program Files\\iWin Games\\iWinGames.exe:*:Enabled:iWin Games application."
    "C:\\Program Files\\iWin Games\\WebUpdater.exe"="C:\\Program Files\\iWin Games\\WebUpdater.exe:*:Enabled:iWin Games updater."

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Mon 15 Oct 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
    Mon 14 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Tue 20 Nov 2007 10 A..H. --- "C:\Documents and Settings\All Users\Application Data\iWin Games\drm\Service_1734614758927788743.dll"
    Mon 14 Feb 2005 4,348 ...H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1key.bak"
    Fri 8 Aug 2008 20 A..H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1lic.bak"
    Tue 29 Jul 2008 9,856 A.SH. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv2key.bak"

    Finished!
  18. mflynn

    mflynn Newcomer, in training Posts: 2,793

    I don't know at this time why you can not attach but try a different Browser, other than that we will address it when you are clean if still there as it could be the Malware.

    OK do the below...

    Run ComboFix get me the log.

    Then, only then do the below.

    UPDATE then run SAS again get me that log
    Run SDFix again get me that log

    These reruns are required because they found and removed Malware and may find more on these new runs we need to run them till clean.

    Mike
  19. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    Combo Fix log and hijack log after SD and Combo fix ATTACHED ( I can attach I can attach!)
  20. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Well then it was the Malware and we cleaned the one that was causing the problem!

    Now once you do the reruns from my last post.

    Run ComboFix again as it found and removed issues we need to see it clean.

    Mike
  21. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    it wont let me attach again! BAH!

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/18/2009 at 09:41 AM

    Application Version : 4.25.1012

    Core Rules Database Version : 3764
    Trace Rules Database Version: 1725

    Scan type : Quick Scan
    Total Scan Time : 00:12:32

    Memory items scanned : 515
    Memory threats detected : 0
    Registry items scanned : 416
    Registry threats detected : 0
    File items scanned : 7874
    File threats detected : 3

    Adware.Tracking Cookie
    C:\Documents and Settings\Carly\Cookies\carly@questionmarket[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@atdmt[2].txt
    C:\Documents and Settings\Carly\Cookies\carly@doubleclick[2].txt
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK now the new combofix log.

    Mike
  23. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    SD log requested...


    SDFix: Version 1.240
    Run by Carly on 2009-02-18 at 09:55

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    No Trojan Files Found






    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-02-18 10:30:06
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:Enabled:pcAnywhere Main Program"
    "C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:Enabled:pcAnywhere Host Service"
    "C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Enabled:pcAnywhere Remote Service"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:Enabled:pcAnywhere Main Program"
    "C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:Enabled:pcAnywhere Host Service"
    "C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Enabled:pcAnywhere Remote Service"
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
    "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
    "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\iWin Games\\iWinGames.exe"="C:\\Program Files\\iWin Games\\iWinGames.exe:*:Enabled:iWin Games application."
    "C:\\Program Files\\iWin Games\\WebUpdater.exe"="C:\\Program Files\\iWin Games\\WebUpdater.exe:*:Enabled:iWin Games updater."

    Remaining Files :



    Files with Hidden Attributes :

    Mon 15 Oct 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
    Mon 14 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Tue 20 Nov 2007 10 A..H. --- "C:\Documents and Settings\All Users\Application Data\iWin Games\drm\Service_1734614758927788743.dll"
    Mon 14 Feb 2005 4,348 ...H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1key.bak"
    Fri 8 Aug 2008 20 A..H. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv1lic.bak"
    Tue 29 Jul 2008 9,856 A.SH. --- "C:\Documents and Settings\Carly\My Documents\My Music\License Backup\drmv2key.bak"

    Finished!
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK now the new Combofix log!

    Mike
  25. vtbutterfly2

    vtbutterfly2 Newcomer, in training Topic Starter Posts: 25

    New Combo....

    note on both i couldnt install the recovery console...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.