Hijack this report

nickyprout · September 16, 2009

Hi guys,

I'm using a Window XP system on my computer and I'm told that the Hijack this log I ran has possibly some suspect itemsl Could someone please take a look at it. Thanks

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:53:56, on 16/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS.0\System32\smss.exe

C:\WINDOWS.0\system32\winlogon.exe

C:\WINDOWS.0\system32\services.exe

C:\WINDOWS.0\system32\lsass.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\System32\svchost.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\system32\spoolsv.exe

C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\dldnserv.exe

C:\WINDOWS.0\system32\dldncoms.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS.0\system32\nvsvc32.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\System32\TUProgSt.exe

C:\WINDOWS.0\system32\SearchIndexer.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS.0\Explorer.EXE

C:\WINDOWS.0\RTHDCPL.EXE

C:\WINDOWS.0\system32\RUNDLL32.EXE

C:\Program Files\Dell V105\dldnmon.exe

C:\Program Files\Dell V105\dldnMsdMon.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Webroot\Washer\wwDisp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS.0\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\FinePixViewerS\QuickDCF2.exe

C:\WINDOWS.0\STK02N\STK02NM.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.206.201.8 virusermoverpro.microsoft.com

O1 - Hosts: 91.206.201.8 virusermoverpro.com

O1 - Hosts: 91.206.201.8 http: // www.virusermoverpro.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"

O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\RunOnce: [index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "The Prout Family"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe

O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ?

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?AuthParam=1236265810_6d2cb8bf9032a5183a54abf82d9813b9&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab&File=jinstall-6u12-windows-i586-jc.cab&BHost=javadl.sun.com

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe

O23 - Service: dldn_device - - C:\WINDOWS.0\system32\dldncoms.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS.0\System32\TuneUpDefragService.exe

O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS.0\System32\TUProgSt.exe

O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--

End of file - 8413 bytes

Edited September 18, 2009 by chiaz

pc plodder · September 17, 2009

Extra info to Nickys post.

I ran the HTLog for her after she became infected.

After installing Firefox browser she immediately became infected with BankerFox A trojan. Superantispyware seemed to get rid of it and we ran scans with Eset and Malwarebytes to see if she was clean. The last Maleware bytes scan she ran had 286 infections, some in the registry.

As i am not a "techie" i asked her to post it as there seemed to be suspicious entries to me.

P.C is Elonex with dual core AMD processor, windows Xp home edition fully updated 4Gb ram

Security is Eset firewall and antivirus, Superantispyware and Malwarebytes. She runs full scans 3 times a week

Hopethis helps

RandyL · September 18, 2009

Hi nicky.

I would wait for chiaz to look at the log but offhand I don't see anything to be overly concerned about.

I'm not sure what your Tuneup program is but as a rule I'm not a fan of such. I do see a dll file I'm not sure about too.

Wait for chiaz but if your scans are clean and your computer is not experiencing any problems you are probably ok.

chiaz · September 18, 2009

Hey nicky,

I disabled the live link in your HJT log to virusermoverpro.com. This is a rogue site promoting malware.

====================

OK, first let's have you run HijackThis and place a tick by the following entries:

O1 - Hosts: 91.206.201.8 virusermoverpro.microsoft.com

O1 - Hosts: 91.206.201.8 virusermoverpro.com

O1 - Hosts: 91.206.201.8 http: // http://www.virusermoverpro.com

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.

====================

Next download Malwarebytes' Anti-Malware by clicking the link below:

|MG| Malwarebytes Anti-Malware 1.41 Download

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* You'll be required to post the contents of this log later.

Please Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

====================

Finally download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

nickyprout · September 18, 2009

Hi Guys,

Thanks for the reply. I already have Malwarebytes installed. It found 208 infected files before I sent the original post. Would it be useful for me to send the report to you? I have done as instructed regarding the Hijackthis log and removed the said items. I have had a look at installing Combofix and it looks a little complicated to me, but I'll have a go anyway. Will post the log when I've completed the scan. Thanks once again.

chiaz · September 18, 2009

Give MBAM an update, as well as a quick scan again. Then reboot your PC and run ComboFix.

Take all the time you need, we're always here. :)

nickyprout · September 18, 2009

Hi Chiaz,

I'm posting the combofix log as requested. When I opened up my desktop afterwards, it had two internet icons. The usual one has e4 under it and the new one has internet explorer under it. Is this normal, should it be there and if not how do I get rid of it.

Also, could you explain what you meant by this. I disabled the live link in your HJT log to virusermoverpro.com.

Here is the log report

ComboFix 09-09-17.04 - The Prout Family 18/09/2009 19:03.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3519.3037 [GMT 1:00]

Running from: c:\documents and settings\The Prout Family.ELONEX\Desktop\ComboFix.exe

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\The prout family\Application Data\Microsoft\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe

c:\documents and settings\The prout family\Application Data\Microsoft\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe

c:\documents and settings\The prout family\Application Data\Microsoft\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe

c:\documents and settings\The prout family\Application Data\Microsoft\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe

c:\program files\SGPSA

c:\program files\SGPSA\BHO.dll

c:\windows.0\Alcmtr.exe

c:\windows\Installer\12281bf.msi

c:\windows\Installer\154d04.msi

c:\windows\Installer\19bb4a.msi

c:\windows\Installer\226627.msi

c:\windows\Installer\247e2c.msi

c:\windows\Installer\2bc4e0.msi

c:\windows\Installer\488bab.msi

c:\windows\Installer\488bb8.msi

c:\windows\Installer\746ca4.msi

c:\windows\Installer\746ddf.msi

c:\windows\Installer\b7877.msi

c:\windows\Installer\b787c.msi

.

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))

.

2009-09-14 15:14 . 2009-09-14 15:14 604416 ----a-w- c:\windows.0\system32\TUProgSt.exe

2009-09-14 15:14 . 2009-04-27 12:21 28928 ----a-w- c:\windows.0\system32\uxtuneup.dll

2009-09-14 15:14 . 2009-09-14 15:14 361216 ----a-w- c:\windows.0\system32\TuneUpDefragService.exe

2009-09-09 21:36 . 2009-09-09 21:36 -------- d-----w- c:\windows.0\system32\wbem\Repository

2009-09-09 20:22 . 2009-06-21 21:44 153088 -c----w- c:\windows.0\system32\dllcache\triedit.dll

2009-09-02 15:08 . 2008-06-19 16:24 28544 ----a-w- c:\windows.0\system32\drivers\pavboot.sys

2009-08-29 15:08 . 2009-08-29 15:08 -------- d-----w- C:\ProgramData

2009-08-29 15:05 . 2007-10-17 14:54 413696 ----a-w- c:\windows.0\system32\3Planesoft_Screensaver_Manager.scr

2009-08-29 15:05 . 2009-08-29 15:05 -------- d-----w- c:\program files\3Planesoft Screensaver Manager

2009-08-29 15:05 . 2009-08-29 15:05 -------- d-----w- c:\windows.0\system32\3Planesoft

2009-08-29 15:05 . 2007-11-09 11:24 19411456 ----a-w- c:\windows.0\system32\Cuckoo Clock 3D Screensaver.exe

2009-08-29 15:05 . 2009-08-29 15:05 -------- d-----w- c:\program files\Cuckoo Clock 3D Screensaver

2009-08-29 15:05 . 2007-11-09 11:25 778240 ----a-w- c:\windows.0\system32\Cuckoo_Clock_3D_Screensaver.scr

2009-08-22 10:43 . 2009-08-22 10:43 -------- d-----w- c:\program files\Legjendat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-18 10:28 . 2009-02-25 20:10 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-17 19:01 . 2008-10-10 21:49 -------- d-----w- c:\program files\LeeGTs Games

2009-09-17 16:59 . 2009-08-18 19:26 -------- d-----w- c:\documents and settings\The Prout Family.ELONEX\Application Data\dvdcss

2009-09-17 16:46 . 2008-02-09 12:01 -------- d-----w- c:\program files\FinePixViewerS

2009-09-16 21:42 . 2008-04-16 14:15 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP

2009-09-16 21:42 . 2008-06-30 16:10 -------- d-----w- c:\program files\SpywareBlaster

2009-09-14 15:14 . 2009-08-14 13:53 -------- d-----w- c:\program files\TuneUp Utilities 2009

2009-09-14 13:46 . 2009-03-16 11:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 13:54 . 2009-03-16 11:59 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys

2009-09-10 13:53 . 2009-03-16 11:59 19160 ----a-w- c:\windows.0\system32\drivers\mbam.sys

2009-09-09 16:33 . 2008-11-29 12:56 16 ----a-w- c:\windows.0\popcinfo.dat

2009-09-06 16:37 . 2009-08-18 15:05 24 ----a-w- c:\windows.0\popcinfot.dat

2009-09-03 15:01 . 2009-09-03 14:53 3804415726 ----a-w- c:\documents and settings\All Users.WINDOWS.0\SPL1A4.tmp

2009-09-01 19:50 . 2009-09-01 19:40 4260531942 ----a-w- c:\documents and settings\All Users.WINDOWS.0\SPL18.tmp

2009-09-01 19:36 . 2009-09-01 19:27 4263280124 ----a-w- c:\documents and settings\All Users.WINDOWS.0\SPL16.tmp

2009-08-24 18:53 . 2008-07-30 18:38 -------- d-----w- c:\program files\Ricochet Xtreme

2009-08-18 16:11 . 2009-08-18 15:19 -------- d-----w- c:\program files\Auran

2009-08-18 16:07 . 2007-07-25 20:17 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-18 15:03 . 2009-08-18 15:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\PopCap Games

2009-08-18 15:03 . 2009-08-18 14:49 -------- d-----w- c:\program files\PopCap Games

2009-08-18 14:47 . 2009-08-18 14:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\HipSoft

2009-08-15 13:31 . 2009-08-15 09:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Candy Factory

2009-08-14 13:53 . 2008-04-16 14:27 -------- d-----w- c:\documents and settings\The Prout Family.ELONEX\Application Data\TuneUp Software

2009-08-14 13:53 . 2009-08-14 13:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TuneUp Software

2009-08-14 13:52 . 2009-08-14 13:52 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}

2009-08-09 12:58 . 2009-08-09 12:58 -------- d-----w- c:\program files\Google

2009-08-09 12:58 . 2009-08-09 11:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\BigFishGamesCache

2009-08-09 12:58 . 2009-08-09 12:58 -------- d-----w- c:\program files\BFG

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows.0\system32\mswebdvd.dll

2009-07-22 18:57 . 2009-06-20 09:31 -------- d-----w- c:\documents and settings\The Prout Family.ELONEX\Application Data\Twintale Entertainment

2009-07-18 16:20 . 2008-04-16 15:34 27272 ----a-w- c:\documents and settings\The Prout Family.ELONEX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows.0\system32\atl.dll

2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows.0\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows.0\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 12:00 78336 ------w- c:\windows.0\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows.0\system32\corpol.dll

2009-06-25 08:25 . 2008-07-13 14:43 730112 ----a-w- c:\windows.0\system32\lsasrv.dll

2009-06-25 08:25 . 2008-07-13 14:43 136192 ----a-w- c:\windows.0\system32\msv1_0.dll

2009-06-25 08:25 . 2008-07-13 14:43 147456 ----a-w- c:\windows.0\system32\schannel.dll

2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows.0\system32\secur32.dll

2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows.0\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows.0\system32\kerberos.dll

2009-06-24 11:18 . 2008-07-13 14:43 92928 ----a-w- c:\windows.0\system32\drivers\ksecdd.sys

2007-10-26 13:14 . 2007-10-26 13:14 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-18 1998576]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2008-09-17 86016]

"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-06-24 668912]

"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-06-24 16624]

"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-09-17 13574144]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-24 1451264]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 148888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows.0\RTHDCPL.exe [2006-08-14 16050176]

"SkyTel"="SkyTel.EXE" - c:\windows.0\SkyTel.exe [2006-05-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows.0\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\

Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-2-9 303104]

STK02N 2.3 PNP Monitor.lnk - c:\windows.0\STK02N\STK02NM.exe [2009-2-12 163840]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-05 19:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows.0\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS.0\\system32\\dldncoms.exe"=

"c:\\Program Files\\Dell V105\\dldnmon.exe"=

"c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\dldnpswx.exe"=

"c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\dldnjswx.exe"=

"c:\\Program Files\\Dell V105\\dldnlscn.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=

"c:\\Program Files\\Dell V105\\frun.exe"=

R0 pavboot;pavboot;c:\windows.0\system32\drivers\pavboot.sys [02/09/2009 16:08 28544]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 12:43 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 12:43 74480]

R2 dldn_device;dldn_device;c:\windows.0\system32\dldncoms.exe -service --> c:\windows.0\system32\dldncoms.exe -service [?]

R2 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows.0\system32\spool\drivers\w32x86\3\dldnserv.exe [11/01/2009 20:56 99568]

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [24/10/2008 21:51 468224]

R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows.0\system32\TUProgSt.exe [14/09/2009 16:14 604416]

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [16/04/2008 15:56 598856]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 12:43 7408]

S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows.0\system32\drivers\WebSTAR.sys [16/04/2008 16:05 15417]

S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;c:\windows.0\system32\drivers\SACMXP1.sys [20/11/2003 16:01 14848]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2009-09-18 c:\windows.0\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://uk.yahoo.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-09-18 19:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]

@Denied: (3) (LocalSystem)

"AppDataDir"="c:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\ESET\\ESET Smart Security\\"

"DataDir"="ESET\\ESET Smart Security\\"

"EditionName"="Student Edition"

"InstallDir"="c:\\Program Files\\ESET\\ESET Smart Security\\"

"LanguageId"=dword:00000409

"ProductBase"=dword:00000001

"ProductCode"="{4CEBE5E6-D1FD-4BDF-8C9C-29A9A3CC2B7C}"

"ProductName"="ESET Smart Security"

"ProductType"="ess"

"ProductVersion"="3.0.684.0"

"UniqueId"="0006AC9E49ABC1A1"

"ScannerBuild"=dword:00000ed0

"ScannerVersionId"=dword:00000de1

"ScannerVersion"=""

"FixId"=dword:00000005

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"NoChange"="1"

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1784)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows.0\system32\WININET.dll

.

Completion time: 2009-09-18 19:08

ComboFix-quarantined-files.txt 2009-09-18 18:08

Pre-Run: 208,919,846,912 bytes free

Post-Run: 208,817,061,888 bytes free

233 --- E O F --- 2009-09-09 21:02

Thanks

Nicky

chiaz · September 19, 2009

I'm posting the combofix log as requested. When I opened up my desktop afterwards, it had two internet icons. The usual one has e4 under it and the new one has internet explorer under it. Is this normal, should it be there and if not how do I get rid of it.

You can keep one and delete the other icon.

Also, could you explain what you meant by this. I disabled the live link in your HJT log to virusermoverpro.com.

In your HJT log, there was a link to virusermoverpro.com. If guests are careless enough to click on the link, they may get infected. So I edited out the link. It wasn't your fault though. And it's nothing to be really concerned about, I was just informing you. :)

================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\All Users.WINDOWS.0\SPL1A4.tmp
c:\documents and settings\All Users.WINDOWS.0\SPL18.tmp
c:\documents and settings\All Users.WINDOWS.0\SPL16.tmp

Dirlook::
c:\program files\Legjendat
c:\documents and settings\All Users.WINDOWS.0\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your new reply.

*Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

pc plodder · September 19, 2009

Chiaz

I'm helping Nicky with all your instructions via phone.

Last night her p.c shut down and when she started it up again she had this warning (see photo)

Anything to worry about before we carry out the instructions in your last post?

Sorry but i can't copy the picture to here so i'll write the text

Blue screen error caused by device or driver

You received this message because a hardware device,it's driver or software device has caused a blue screen error. This type of error means the computer has shut down abruptly to protect itself from potential data coruption or loss. In this case we were unable to detect the specific device or driver that caused the problem.

The following might prevent the blue screen error from recurring.

Steps to solve this problem

Download and install the latest updates and drivers for your computer

Check your computer for viruses

Check your hard disc for errors

Steps to work around this problem

Warining!!

These steps are designed to address a particular problem but might do so by temporarily disabling or removing some functionality on your computer

Remove any new hardware or software to isolate the cause of the blue screen

Restore your computer to an earlier state

That's what's on the screen chiaz, it looks genuine as it has Microsoft error reporting headed on it.

Nicky doesn't want to mess her p.c up so she's asked me to post this on her behalf for your comments as to what she should do.

When you reply i will relay the info to Nicky and we maybe can then carry out the instructions in your last post.

Regards

Steve

RandyL · September 19, 2009

Just to be on the safe side you should backup all your data, favorites and address book if you use a mail client like Outlook Express. I say this because if you have a hardware problem like a bad drive you risk losing it.

Also make sure you have recovery disks made.

chiaz · September 19, 2009

Hi steve and Nicky,

That is what we call a BSOD (Blue Screen of Death). But is it a one-off thing, or does it now appear on every boot-up?

You can follow the instructions in my previous post with no problems though. But heed Randy's instructions to back up all important data first.

pc plodder · September 19, 2009

Well, it appears to have only happened once so we'll carry out your last set of instructions chiaz.

BTW would it be prudent to run a disc check to repair any errors etc. (won't do that yet until you give the o.k)

nickyprout · September 19, 2009

Hi Chiaz. Unable to post all the log at once so I'll split it into three. First bit is here.

ComboFix 09-09-17.04 - The Prout Family 19/09/2009 13:32.3.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3519.3036 [GMT 1:00]

Running from: c:\documents and settings\The Prout Family.ELONEX\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\The Prout Family.ELONEX\Desktop\CFScript.txt

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::

"c:\documents and settings\All Users.WINDOWS.0\SPL16.tmp"

"c:\documents and settings\All Users.WINDOWS.0\SPL18.tmp"

"c:\documents and settings\All Users.WINDOWS.0\SPL1A4.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users.WINDOWS.0\SPL16.tmp

c:\documents and settings\All Users.WINDOWS.0\SPL18.tmp

c:\documents and settings\All Users.WINDOWS.0\SPL1A4.tmp

.

((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))